For the past decade Australia, as well as Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei have been relentlessly cyber-attacked by the Chinese-state-sponsored Naikon APT Group.
According to Check Point Naikon has strong ties to the Chinese Military. It persistently attacks foreign government entities including ministries of foreign affairs, science and technology, and government-owned companies. Although its latest recorded attack was on the West Australian Government and Premier Mark McGowan.
Check Point says what made these attacks so alarming was the intrusive capabilities of Aria-body, the Naikon group’s new cyber-espionage tool.
The group has expanded its footholds on the various governments by launching attacks from one breached government entity to infect another. Or from one trusted government to another as was the case in WA.
In one case, a foreign embassy unknowingly sent malware-infected documents to the government of its host country.
This shows how the hackers exploit trusted, known contacts. it uses them to infiltrate new organisations and extend their espionage network.
Check Point says the Naikon’s purpose is to gather intelligence and spy on the countries whose Governments it targets.
This includes finding and collecting specific documents. It also extracts data from removable drives, takes screenshots and keylogs, and of course, harvesting the stolen data for espionage.
Naikon gains a foothold by sending an infected spoofed email supposedly from a trusted source. The weaponised RTF (a form of Word document) starts infecting machines on the network.
The attackers use GoDaddy (GadgetGuy report on its recent hack here) as the registrar. Chinese Alibaba host the command and control infrastructure.
Not only does it spread like a virus, but it also analyses files metadata to see who created them and where they go. This effectively maps out the chain of command. Data exfiltrates via encrypted bytes to the C&C.
Check Point summarises
We uncovered the latest iteration … of a long-running Chinese-based operation against various government entities in APAC. By using new server infrastructure, ever-changing loader variants, in-memory file-less loading, as well as a new backdoor – the Naikon APT group can prevent analysts from tracing their activity back to them.
Kaspersky has corroborated Check Point’s Naikon investigation. It added
The hacking group appears to operate as part of the Military’s Second Technical Reconnaissance Bureau, Unit 78020, based mainly in the southern city of Kunming. It is responsible for China’s cyberoperations and technological espionage in Southeast Asia and the South China Sea. Or where Beijing has territorial disputes with its neighbours.
Peter Jennings, a former Australian defence official, is the executive director of the Australian Strategic Policy Institute. He said
“We know that China is the single biggest source of cyber espionage coming into Australia by a very long way. People fail to see the industrial-strength capacity that China has to do this on a global scale.”
China maintains it is opposed to cyberattacks of any kind. Its government and Military do not engage in hacking for the theft of trade secrets.