A Chinese hacking group has been conducting “ongoing” espionage operations on foreign governments across Asia, according to security firm Check Point. Called Naikon, it has reportedly attacked governments in Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar and Brunei, targeting foreign affairs, science and technology ministries. The aim is to gather “geo-political intelligence,” Check Point wrote in a news release.
The primary attack vector is our old friend, phishing. First, Naikon creates an official-looking email with information of interest to potential targets, obtained via public or stolen information. Should the hapless victim open the email attachment, it’s spiked with a sophisticated piece of backdoor malware called “Aria-body.” That gives the attacker access to the target’s networks and from there, they attempt to access other parts of the infrastructure to gain wider access and launch new attacks.
“Naikon’s primary method of attack is to infiltrate a government body, then use that body’s contacts, documents and data to launch attacks on others, exploiting the trust and diplomatic relations between departments and governments to increase the chances of its attack succeeding,” said Check Point.
Naikon is a known hacker group, but apparently dropped out of view around 2015. However, Check Point found that despite avoiding detection, the group has been very active during the last five years, especially in 2019-20. During that time, the group developed new tools including Aria-body.
“To evade detection, they were using exploits attributed to lots of APT [advanced persistent threat] groups, and uniquely using their victims’ servers as command and control centers,” wrote Check Point. “We’ve published this research as a warning and resource for any government entity to better spot Naikon’s or other hacker group’s activities.”