China accused of launching ‘cyber war’ over contested islands

China, in pursuit of its territorial claims in the resource-rich South China Sea, is resorting to low-level cyber warfare against the Philippines and Vietnam — the two nations who recently won an international legal case against the Communist government.

China, in pursuit of its territorial claims in the resource-rich South China Sea, is resorting to low-level cyber warfare against the Philippines and Vietnam — the two nations who recently won an international legal case against the Communist government.

Reports in local media and by regional cybersecurity companies have attributed a rash of cyber vandalism attacks in the past two weeks to a Chinese hacktivist group calling itself 1937cn — an apparent reference to the Japanese invasion of China that year.

In the highest profile attack at the end of July, hackers took over the website of  Vietnam’s national airline and the display screens in the country’s two largest airports and displayed pro-Chinese, anti-Vietnam and anti-Philippine messages.

Websites in the Philippines were also attacked, with local security companies saying the hacks were part of a long-running campaign aimed at the computer networks of government agencies and critical infrastructure owners and operators.


Vietnamese sources have blamed China and linked the attacks to last month’s ruling by the Permanent Court of Arbitration in The Hague, which denied Beijing’s extensive territorial claims in the South China Seas. About $5 trillion worth of shipping trade passes each year through the seas’ waters  — which abut China, Malaysia, the Philippines, Taiwan and Vietnam, and are believed to house huge fish stocks as well as vast deposits of undersea oil and gas.

The self-described leader of 1937cn told Chinese state media the group is a patriotic non-government organization, but didn’t entirely deny responsibility.

Security experts and former officials in the region say the plausible deniability of using patriotic hacktivists as a cut-out for government-inspired or -directed online attacks is straight out of China’s cyber playbook.

“China’s strategic cyber doctrine is the basis of the current [cyber] operations against Vietnam and the Philippines,”  wrote S. D. Pradhan, the former chairman of Delhi’s Joint Intelligence Committee, in a Times of India op-ed.

In Russian doctrine, security analysts have identified cyberwarfare a part of a “hybrid warfare” strategy, in which information operations and deniable military forces (the “little green men” of Ukraine fame) are fused to leverage Russian strategic might and advance national goals.


But in China’s military thinking, Pradhan states, cyber-operations are aimed at deterrence and are also seen as potentially part of “no contact warfare” —  “winning war without casualties,” and projecting power over great distances “to achieve a quick decisive victory by disrupting, denying and destroying the enemy’s war waging potential and its command and control systems through remote delivery of destructive kinetic energy and effective cyber operations.”

In China’s concept of “‘integrated strategic deterrence,’ cyber operations have the central role,” he noted, adding, “Deterrence is achieved by projecting its capabilities for infiltration of critical infrastructure of adversaries,” such as the computer networks at a major airport.

By successfully attacking the national airline’s website and airport announcement systems, Pradhan added, “China has conveyed her capabilities to infiltrate into [an] adversary’s … most critical and secured infrastructure.”

Underlining the seriousness of the threat represented by the airports hack, Vietnamese banks also briefly suspended online banking and payment services in its wake, as a precautionary measure until the extent of the attack was clear, one bank executive told TalkVietnam.

“This is an appropriate move as we haven’t fully assessed the effects of the cyber attacks,” said the executive.


Later, local security firm Bvak told the official Vietnam News Agency that the malware used in the attack was a keylogger and remote access trojan, which disguised itself as an anti-virus program.

An executive from the firm, Ngo Tuan Anh, said the malware had been active on the networks of government agencies, business groups, banks, and universities since 2012, underlining the importance of battle-space preparation in the cyber world.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts