Report: Chinese-linked hacking group has been infiltrating APAC governments for years

Newly released evidence points to the Naikon APT being at the head of a 5-year espionage campaign that has phished information from countries all around the Asia-Pacific region.

How cybersecurity is developing to combat Russian hackers
86:56:40

Security firm Check Point has found evidence that a Chinese government-linked hacking group has been infiltrating and gathering information on governments from around the Asia-Pacific (APAC) region for more than five years.

The group, known as Naikon Advanced Persistent Threat (APT) was first discovered in 2015, and after a report went public that named one of its members the group went silent. 

Now, in 2020, research from Check Point suggests the group has remained active, and has been found targeting governments in Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar, and Brunei. 

Of particular interest to Naikon in its attacks has been ministries of foreign affairs, science and tech agencies, and government-owned companies. To make matters more dangerous, the attacks are leveraging data stolen from target governments to infiltrate other departments and other nations by exploiting diplomatic ties. 

SEECybersecurity: Let's get tactical (free PDF) (TechRepublic)

How Naikon APT is infiltration the APAC

Check Point specifically lists a backdoor attack known as Aria-Body to be the weapon of choice in Naikon's campaign, which was discovered in 2015 and is ongoing.

"Our investigation started when we observed a malicious email sent from a government embassy in APAC to the Australian government, named The Indians Way.doc. This RTF file, which was infected (weaponized) with the 'RoyalRoad' exploit builder, drops a loader named intel.wll into the target PC's Word startup folder," Check Point said in the report.

The loader then downloads additional payloads, with the ultimate goal of installing Aria-Body, a backdoor remote access trojan (RAT) with capabilities similar to other RATs seen in the past. It's able to: 

  • Create, edit, and delete files and directories
  • Take screenshots
  • Search for files
  • Launch files
  • Enumerate processes
  • Collect metadata
  • Gather TCP/UDP statuses
  • Close TCP sessions
  • Catalog OS information
  • Verify physical location using AWS's IP checker
  • Install keyloggers

Check Point has found three versions of the attack— infected RTF files, archive files containing a malicious DLL, and a direct executable loader. All three worm their way into a computer's startup folder, download additional malware from a command and control server, and go to work harvesting information.

The report concludes that Naikon APT has been anything but inactive in the five years since it was discovered. "By utilizing new server infrastructure, ever-changing loader variants, in-memory fileless loading, as well as a new backdoor — the Naikon APT group was able to prevent analysts from tracing their activity back to them," Check Point said in its report.

While the attack may not appear to be targeting governments outside the APAC region, examples like these should serve as warnings to other governments and private organizations worried about cybersecurity threats. 

One of the reasons Naikon APT has been able to spread so far is because it leverages stolen email addresses to make senders seem legitimate. Every organization, no matter the size, should have good email filters in place, and should train employees to recognize the signs of phishing and other email-based attacks. 

naikon-map-image.jpg

Image: Check Point Security