Newly released evidence points to the Naikon APT being at the head of a 5-year espionage campaign that has phished information from countries all around the Asia-Pacific region.
Security firm Check Point has found evidence that a Chinese government-linked hacking group has been infiltrating and gathering information on governments from around the Asia-Pacific (APAC) region for more than five years.
Now, in 2020, research from Check Point suggests the group has remained active, and has been found targeting governments in Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar, and Brunei.
Of particular interest to Naikon in its attacks has been ministries of foreign affairs, science and tech agencies, and government-owned companies. To make matters more dangerous, the attacks are leveraging data stolen from target governments to infiltrate other departments and other nations by exploiting diplomatic ties.
SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)
How Naikon APT is infiltration the APAC
Check Point specifically lists a backdoor attack known as Aria-Body to be the weapon of choice in Naikon's campaign, which was discovered in 2015 and is ongoing.
"Our investigation started when we observed a malicious email sent from a government embassy in APAC to the Australian government, named The Indians Way.doc. This RTF file, which was infected (weaponized) with the 'RoyalRoad' exploit builder, drops a loader named intel.wll into the target PC's Word startup folder," Check Point said in the report.
The loader then downloads additional payloads, with the ultimate goal of installing Aria-Body, a backdoor remote access trojan (RAT) with capabilities similar to other RATs seen in the past. It's able to:
- Create, edit, and delete files and directories
- Take screenshots
- Search for files
- Launch files
- Enumerate processes
- Collect metadata
- Gather TCP/UDP statuses
- Close TCP sessions
- Catalog OS information
- Verify physical location using AWS's IP checker
- Install keyloggers
Check Point has found three versions of the attack— infected RTF files, archive files containing a malicious DLL, and a direct executable loader. All three worm their way into a computer's startup folder, download additional malware from a command and control server, and go to work harvesting information.
The report concludes that Naikon APT has been anything but inactive in the five years since it was discovered. "By utilizing new server infrastructure, ever-changing loader variants, in-memory fileless loading, as well as a new backdoor — the Naikon APT group was able to prevent analysts from tracing their activity back to them," Check Point said in its report.
While the attack may not appear to be targeting governments outside the APAC region, examples like these should serve as warnings to other governments and private organizations worried about cybersecurity threats.
One of the reasons Naikon APT has been able to spread so far is because it leverages stolen email addresses to make senders seem legitimate. Every organization, no matter the size, should have good email filters in place, and should train employees to recognize the signs of phishing and other email-based attacks.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)