A five-year cyber espionage campaign targeting government agencies and owned businesses across Southeast Asia has been uncovered following the re-emergence of hacker group Naikon.
According to Check Point findings, the advanced persistent threat (APT) specialists are “persistently targeting” countries in the same geographical region, which includes Indonesia, Philippines, Vietnam, Thailand, Myanmar and Brunei.
In addition to Australia-based attacks, the group directly targets government ministries of foreign affairs, science and technology, as well as government-owned companies with the alleged motive of gathering of geo-political intelligence.
First revealed in 2015, the group was responsible for attacks against top-level government agencies and related organisations in countries around the South China Sea, in search of political intelligence. Naikon then slipped off the radar, with no new evidence or reports of activities found until now.
“Naikon attempted to attack one of our customers by impersonating a foreign government - that’s when they came back onto our radar after a five-year absence, and we decided to investigate further,” observed Lotem Finkelsteen, manager of Threat Intelligence at Check Point. “Our research found that that Naikon is a highly motivated and sophisticated Chinese APT group.”
Finkelsteen confirmed that the group has not only been active for the past five years, but has also accelerated cyber espionage activities in 2019 and during the first quarter of 2020.
Naikon’s primary method of attack is centred around a 'government-to-government' approach. The move is designed to infiltrate a government body, then use that body’s contacts, documents and data to launch attacks on others, exploiting the "trust and diplomatic relations" between departments and governments in the process.
“What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor,” Finkelsteen added.
“To evade detection, they were using exploits attributed to lots of APT groups, and uniquely using their victims’ servers as command and control centers. We’ve published this research as a warning and resource for any government entity to better spot Naikon’s or other hacker group’s activities.”
Researchers were alerted when investigating an example of a malicious email with an infected document that was sent from a government embassy in Asia Pacific to the Australian government.
The document contained an exploit which, when opened, infiltrates the user’s PC and tries to download a sophisticated new backdoor malware called ‘Aria-body’ from external Web servers used by the Naikon group, to give the group remote access to the infected PC or network, bypassing security measures.
Further investigation revealed other, similar infection chains being used to deliver the Aria-body backdoor. According to findings, all follow a basic three-step pattern which starts with impersonating an official government document to "trick the recipient".
"Naikon starts by crafting an email and document that contains information of interest to the targets," the report stated. "This can be based on information from open sources or on proprietary information stolen from other compromised systems, to avoid raising suspicion."
Naikon then infects documents with malware to infiltrate target systems, spiking the documents with a malicious downloader for the Aria-body backdoor to provide access to the targets’ networks. Finally, they internal governments servers to continue and control attacks.
"Researchers found that Naikon is using the infrastructures and servers of its victims to launch new attacks, which helps to evade detection – in one example, researchers found a server used in attacks belonged to the Philippine Government’s department of science and technology," the report added.