After years of ‘hibernation’ a Chinese state-sponsored threat group’s espionage campaign on the APAC region has finally been uncovered.

In 2015, an advanced persistent threat (APT) group called Naikon was discovered to be targeting several governments in the Asia Pacific Region. The group was responsible for attacks against top-level government agencies and related organizations in countries around the South China Sea, in search of political intelligence. But Naikon soon slipped off the radar, with no new evidence or reports of activities found—until now.

Researchers at Check Point have just uncovered a five-year, ongoing cyber espionage operation by Naikon, confirming that the group has not only been active for the past five years, but has also accelerated its cyber espionage activities in 2019 and Q1 2020.

Naikon’s primary method of attack is to infiltrate a government body, then use that body’s contacts, documents and data to launch attacks on others, exploiting the trust and diplomatic relations between departments and governments to increase the chances of its attack succeeding.

How Naikon’s attacks work

Researchers were alerted when investigating an example of a malicious email with an infected document that was sent from a government embassy in APAC region to the Australian government. The document contained an exploit which, when opened, infiltrates the user’s PC and tries to download a sophisticated new backdoor malware called ‘Aria-body’ from external web servers used by the Naikon group. This then gave the group remote access to the infected PC or network, thereby foiling security measures.

Further investigation revealed other, similar infection chains being used to deliver the Aria-body backdoor, but all follow this basic three-step pattern:

  1. Impersonate an official government document to trick the recipient: Naikon starts by crafting an email and document that contains information of interest to the targets.  This can be based on information from open sources or on proprietary information stolen from other compromised systems, to avoid raising suspicion.
  1. Infect documents with malware to infiltrate target systems: Naikon spikes the documents with a malicious downloader for the Aria-body backdoor, to give it access to the targets’ networks.
  1. Use governments’ own servers to continue and control attacks: Researchers found that Naikon is using the infrastructures and servers of its victims to launch new attacks, which helps to evade detection. In one example, researchers found that a server used in attacks actually belonged to the Philippine Government’s department of science and technology.

Targets in the APAC region

Naikon is persistently targeting countries in the same geographical region, including Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar and Brunei.

The group specifically targets government ministries of foreign affairs, science and technology, as well as government-owned companies. The motive is believed to be gathering of geo-political intelligence. SaidLotem Finkelsteen, Manager of Threat Intelligence, Check Point: “Naikon attempted to attack one of our customers by impersonating a foreign government. That’s when they came back onto our radar after a five-year absence, and we decided to investigate further. Our research found that that Naikon is a highly motivated and sophisticated Chinese APT group. What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor.”

According to Finkesteen, the APT group uses exploits attributed to lots of APT groups to evade detection, and uniquely uses their victims’ servers as command and control centers. “We’ve published this research as a warning and resource for any government entity to better spot Naikon’s or other hacker group’s activities.”