Naikon, a Chinese threat group, has been engaged in a five-year-long cyber espionage campaign targeting several governments across the Asia Pacific region, including that of Western Australia. This is according to findings revealed by intelligence researchers at security firm Check Point.
Indonesia, the Philippines, Vietnam, Thailand, Myanmar, and Brunei are the counties directly affected by what the Check Point researchers refer to as a spate of “government-to-government” cyber espionage attacks originating from China. The hacker group Naikon targets government institutions, such ministries of foreign affairs science and technology and government owned companies, the researchers said.
The cyber espionage operation remains ongoing, the researchers added, claiming that the attacks are being launched with the aim of “gathering of geo-political intelligence”. In this way, the cyber espionage campaigns make Naikon an advanced persistent threat, or APT group.
Breaking down Naikon’s slew of cyber espionage
In order to launch its cyber espionage attacks, according to Check Point, Naikon begins by infiltrating a a government body before hijacking its contacts, documents, and data to launch more targeted phishing attacks against other government targets.
In this way, Naikon is attempting to undermine trust and diplomatic relations between departments and governments; something which further increases the chances of a future attack turning out to be successful.
“Naikon attempted to attack one of our customers by impersonating a foreign government—that’s when they came back onto our radar after a five-year absence, and we decided to investigate further,” explained Lotem Finkelsteen, head of threat intelligence at Check Point.
Finkelsteen went on to explain that Naikon is part of a Chinese effort to gather diplomatic intelligence and undermine ties in the Asia Pacific region.
“Our research found that Naikon is a highly motivated and sophisticated Chinese APT group,” he explained. “What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor.”
What makes the group so effective, Finkelsteen went on, is that the trail of clues left behind by Naikon’s cyber espionage is very difficult to detect.
“To evade detection, they were using exploits attributed to lots of APT groups, and uniquely using their victims’ servers as command and control centers. We’ve published this research as a warning and resource for any government entity to better spot Naikon’s or other hacker group’s activities.”
How Naikon attacks work
The way in which Naikon launches its cyber espionage attacks appears not only to be crafty, but also exceedingly difficult to trace. This is so much the case, in fact, that it took researchers over five years to detect and to eventually unravel the way in which they work.
According to the Check Point, Naikon attempts to launch its cyber espionage attacks by crafting email lures, which are then used as an initial attack vector against a government agency.
When opened, the mailed document infiltrates the victim’s computer and attempts to download another piece of malware, known as an ‘Aria-body’. Using this tactic, hackers are able to gain remote access to the victim’s computer or network while their hijacking successfully bypasses security measures, according to Check Point.
Initially alerted while investigating an example of such an email that was sent from a government embassy in APAC to the Australian government, researchers at Check Point quickly caught on, and began to unravel the infection chain earlier this year. It was not long before they uncovered the grave extent of the method.
Links to the Chinese government
According to reports, Naikon plays a key role in the Chinese government’s espionage efforts in the South China Sea, having been particularly involved in the systematic targeting of government agencies in the Philippines and Vietnam.
Their networks were first revealed in an extensive 2015 report by Check Point, entitled ‘Project CAMERASHY’, which showed Naikon to be a substantive force in the region. However, until recently, Naikon remained a shadowy force in relation to other Chinese-linked APT groups, and appeared to have gone silent for many years, according to Check Point.
“Since [the 2015] report, no new evidence has come to light of further activity by the group, suggesting that they had either gone silent, increased their emphasis on stealth, or drastically changed their methodology of operations. That is, until now,” Check Point wrote recently in a threat profile of Naikon.
Nevertheless, there is little documentation or firm evidence pointing to their origin or to the full extent of the group’s operations. While links between Naikon and the Chinese military have been contested, there so far remains little evidence to support this claim.