Check Point researchers unveil a long-term, ongoing stealth espionage operation orchestrating gov-to-gov attacks
Researchers at Check Point have uncovered the five-year, ongoing cyber espionage operations of a called Naikon, an APT group targeting several governments in the Asia Pacific Region. First reported in 2015, the group was responsible for attacks against top-level government agencies and related organisations in countries around the South China Sea, in search of political intelligence. But during 2015 the Naikon group slipped off the radar, with no new evidence or reports of activities found – until now.
Check Point researchers have now blown Naikon’s cover, confirming that the group has not only been active for the past five years, but has also accelerated its cyber espionage activities in 2019 and Q1 2020. Naikon’s primary method of attack is to infiltrate a government body, then use that body’s contacts, documents and data to launch attacks on others, exploiting the trust and diplomatic relations between departments and governments to increase the chances of its attack succeeding.
How Naikon’s attacks work
Researchers were alerted when investigating an example of a malicious email with an infected document that was sent from a government embassy in APAC to the Australian government. The document contained an exploit which, when opened, infiltrates the user’s PC and tries to download a sophisticated new backdoor malware called ‘Aria-body’ from external Web servers used by the Naikon group, to give the group remote access to the infected PC or network, bypassing security measures.
Further investigation revealed other, similar infection chains being used to deliver the Aria-body backdoor, but all follow this basic three-step pattern:
- Impersonate an official government document to trick the recipient: Naikon starts by crafting an email and document that contains information of interest to the targets. This can be based on information from open sources or on proprietary information stolen from other compromised systems, to avoid raising suspicion
- Infect documents with malware to infiltrate target systems: Naikon spikes the documents with a malicious downloader for the Aria-body backdoor, to give it access to the targets’ networks
- Use governments’ own servers to continue and control attacks: Researchers found that Naikon is using the infrastructures and servers of its victims to launch new attacks, which helps to evade detection – in one example, researchers found a server used in attacks belonged to the Philippine Government’s department of science and technology.
Targets in the APAC region
Naikon is persistently targeting countries in the same geographical region, including Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar and Brunei. The group specifically targets government ministries of foreign affairs, science and technology, as well as government-owned companies. The motive is believed to be gathering of geo-political intelligence.
Manager of Threat Intelligence at Check Point, Lotem Finkelsteen:
“Naikon attempted to attack one of our customers by impersonating a foreign government – that’s when they came back onto our radar after a five-year absence, and we decided to investigate further. Our research found that that Naikon is a highly motivated and sophisticated Chinese APT group. What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor. To evade detection, they were using exploits attributed to lots of APT groups, and uniquely using their victims’ servers as command and control centers. We’ve published this research as a warning and resource for any government entity to better spot Naikon’s or other hacker group’s activities. ”