Respected cybersecurity platform ThreatConnect Intelligence reported this week that Chinese APT [Advanced Persistent Threat] actors had exploited a recently exposed Adobe Flash security flaw in pages of the PCA website concerning "a noteworthy international legal case between the Philippines and China.”

ThreatConnect says the action has exposed “an untold number of interested parties that visited the webpages to potential exploitation”, including the governments of Southeast Asian nations that will be affected by the outcome of the dispute.

Law firms and media organisations that have accessed the pages using computers installed with Windows and Adobe Flash may also have been affected, with the hackers now able to access their networks remotely.

The arbitration taking place at the PCA concerns China's aggressive expansion in the South China Sea, including in the Philippines' exclusive economic zone. Manila is contesting its claims to maritime territory in reliance on the UN Convention of the Law of the Sea.

China has declined to participate in the arbitration, arguing that the tribunal lacks jurisdiction and that the Philippines has committed to resolving any such dispute through diplomacy and intergovernmental talks.

A hearing on jurisdiction and admissibility took place in the Great Hall of Justice of the Peace Palace in The Hague, where the PCA is based, from 7 to 13 July. While not open to the public, the hearing was observed by representatives of Asian governments that have an interest in the case, including Indonesia, Japan, Malaysia, Thailand and Vietnam. The plan is to release transcripts of proceedings in due course.

ThreatConnect says it identified the cybersecurity breach on the third day of the hearing, 9 July, just 72 hours after the Abobe Flash security flaw was exposed. The hackers are understood to have created a malicious URL, which visitors to the PCA webpages unknowingly loaded.

The blog's attempts to trace the location of the hackers, described in detail in its report, have led to domains in Phoenix, Seoul and the Dutch city of Haarlem and to falsified addresses in Beijing and the Taiwanese city of Xiamen.

The PCA website has been down for most of this week, with an automated message assuring users that the institution was working to restore service following "technical difficulties". The site started working again today.

“When considered holistically, the intelligence supports the conclusion that this exploitation was purposefully carried out against the backdrop of diplomatic and legal manoeuvring,” says ThreatConnect.

“Despite Beijing’s unwillingness to participate in the international arbitration and their rejection of the PCA’s jurisdiction, there appears to be a distinct effort to surreptitiously target those who are interested in this landmark international legal case via electronic means.”

“[The] exploitation was almost certainly not a random compromise of the PCA website," the blog adds, noting its embedding within the very pages that describe the Philippines v China dispute and its timing during the first hearing of the case.

In an article published by The American Lawyer today, Michael Goldhaber explains that the hacking strategy used is known as a "watering hole attack" because the hackers' end goal is to target "the creatures who are predictably drawn to sip at the watering hole" (in other words, users of the website).

He quotes ThreatConnect chief intelligence officer Rich Barger stating that the malware employed in the attack is the hallmark of a specific APT group that focuses on the South China Sea region. Barger notes the sophistication and resources of such groups and advises international organisations like the PCA to increase vigilance and awareness during "polarising and noteworthy international cases".

Goldhaber also quotes the chief privacy officer of FireEye Incorporated, Shane McGee, who is the author of a report on Chinese cyber-warfare.

McGee says that many APT hackers "are either wearing Chinese uniforms or supported by people wearing Chinese uniforms" and broadly support the state's interests. In the past, they have successfully hacked the websites of US and international organisations.

GAR has contacted the PCA’s deputy secretary general Brooks Daly for comment but has yet to receive a response. Lead counsel to the Philippines, Paul Reichler of Foley Hoag in Washington, DC, said last night that he was unaware of the cybersecurity breach and that his own law firm had suffered no problems.

The news of the hacking comes at a time of concern about the vulnerability of Adobe Flash, which has been blocked as standard by the latest version of the Mozilla Firefox browser, with Facebook indicating plans to do the same.

It also comes a time when many law firms are taking steps to improve their cybersecurity. In March, it emerged that a number of firms, including Debevoise & Plimpton, Allen & Overy and Linklaters, have formed a "cybersecurity alliance" that will share information about threats.

International Bar Association president David W Rivkin, who is a partner at Debevoise, has also revealed plans for a new task force on attacks on the legal profession that will address cybersecurity breaches affecting client privilege and privacy among other issues.

Past breaches that GAR has covered include the hacking in March of the government of Kazakhstan's computer network, which led to privileged and confidential email exchanges with the law firm Curtis Mallet-Prevost Colt & Mosle, its adviser in several international disputes, being published online. Kazakhstan secured an ex parte injunction against the unknown hackers at the US District Court of the Southern District of New York, arguing that the breach had caused "irreparable harm" to its interests.

Australia has also been accused of interfering with privileged communications between East Timor and its legal advisers relating to an International Court of Justice case over oil and gas reserves in the Timor Sea.

GAR has further learnt that counsel in a recent Russia-related arbitration received emails from purported legal journalists with attachments containing Trojan downloaders. If the attachments were opened, the downloaders would have enabled hackers to access their computer network and listen to conversations held within earshot of their computers.

Cybersecurity specialists retained by the lawyers created a dummy computer network uploaded with false and innocuous information about the arbitration that was used to open the attachments. Via read receipts, they were then able to monitor the accessing of data by hackers in Israel, the Netherlands and Russia.

That's not all....

The smooth-running of the Permanent Court of Arbitration has not just been subject to remote, external threats. It emerged today that Croatia is threatening to withdraw from a PCA-administered arbitration with Slovenia, after leaked wiretaps purportedly exposed the Slovenian arbitrator on the tribunal, Jernej Sekolec, sharing confidential information about the case with a government official in Ljubljana.

The tribunal is in the process of deliberating on the case, concerning competing claims to a bay in the Adriatic Sea and its coastline that arose following the break-up of Yugoslavia in 1991. An award had been expected in December.

Croatian newspaper Vercenji List yesterday published audio clips and extracts of tapped phone conversations in which Sekolec apparently discusses the case and its probable outcome with Simona Drenik from Slovenia's foreign ministry (an expert witness in the proceeding).

Among other things, Drenik is told that Slovenia is to get two thirds of the waters claimed in the Bay of Piran. Vercenji List also recorded discussion of how to influence arbitrators on the tribunal with respect to Slovenia's land claims and to place further information before it during deliberations.

The publication describes its exclusive as "an international arbitration scandal".

Proving that business is going on as usual despite the hacking, the PCA today circulated a press release announcing Sekolec's resignation from the tribunal without any explanation of the reason. The institution said it now falls to Slovenia to appoint a new arbitrator under the 2009 arbitration agreement signed by the states, after which deliberations will resume.

Drenik has also resigned.

Following public outcry in Croatia, Slovenia's prime minister Miro Cerar told press that the disclosures made were "inappropriate" but that he hopes the case can now proceed to a verdict. The state's parliamentary committee for the supervision of security and intelligence services held an urgent meeting in response to the wire-tapping.

Croatia's foreign minister Vesna Pusic said the government is "consulting with legal experts and considering all options, including a possible withdrawal from arbitration, depending on the outcome of consulations and on what facts will be determined." Croatia has also written to the European Commission about the development.

In May, the PCA had to reassure the state parties to the dispute after Slovenia's foreign minister Karl Erjevec appeared on television professing to have information about the case that made him optimistic about its outcome. Croatia subsequently raised concerns with the tribunal about the confidentiality of its deliberations but Slovenia denied that it had received information.

Vienna-based Sekolec is a former secretary of UNCITRAL and director of the international trade law division of the UN Office of Legal Affairs. From 2010 to 2013, he served as vice president of the LCIA. He has yet to respond to a request for comment.

GAR has updated this article since first publication to include further detail of the ThreatConnect and Vercenji List reports.

The Republic of the Philippines v the People’s Republic of China

Tribunal

• Thomas Mensah (Ghana) (Chair), appointed by ITLOS
• Jean-Pierre Cot (France), appointed by ITLOS
• Alfred Soons (Netherlands), appointed by ITLOS
• Stanisław Pawlak (Poland), appointed by ITLOS
• Rüdiger Wolfrum (Germany), appointed by the Philippines

Counsel to the Philippines

• Foley Hoag

Partners Paul Reichler and Lawrence Martin in Washington, DC

• Philippe Sands QC of Matrix Chambers in London
• Alan Boyle of Essex Court Chambers in London
• Bernard Oxman at the University of Miami School of Law in Miami, Florida

Counsel to China

• China has refused to appoint counsel

Arbitration between the Republic of Slovenia and the Republic of Croatia

Arbitral tribunal

• Gilbert Guillaume (France) (President)
• Bruno Simma (Germany)
• Vaughan Lowe QC (UK)
• Jernej Sekolec (Slovenia) (appointed by Slovenia) (resigned today)
• Budislav Vukas (Croatia) (appointed by Croatia)

Counsel to Slovenia

• Eversheds

Partner Rodman Bundy in Singapore

• Daniel Müller

• Michael Wood of 20 Essex Street Chambers in London

• Alain Pellet, professor at University of Paris Ouest, Nanterre-La Défense

Counsel to Croatia

• Phillipe Sands QC, James Crawford SC and Zachary Douglas QC of Matrix Chambers in London

• Foley Hoag

Partner Paul Reichler in Washington, DC

• Anjolie Singh, New Delhi

• Davor Vidas, Lysaker, Norway

The tribunal in the arbitration between Croatia and Slovenia, with hearing participants. Sekolec is on the far left.