China-based Naikon APT Group Carrying Out Esionage on APAC Nations
An Advanced Persistent Threat (APT) Group, referred to as Naikon, is targeting APAC nations. In these attacks, the APT hackers focus on stealing valuable information from ministries of foreign affairs, science and technology offices, as well as government-owned companies. This is according to cyber security researchers at Check Point.
The cyber attack appears to be a multi-year campaign against government entities in APAC. It seemed that Naikon was inactive recently, but instead they have successfully conducted operations without detection for about five years.
The goal of the cyber attacks is to conduct espionage on Asia-Pacific countries to collect intelligence from target governments. The APT group steals documents and data from network devices. Its malware can log keystrokes and take screenshot from infected computers. It has also used to infected networks then pass malware onto more target organizations in other nations.
“In one case, a foreign embassy unknowingly sent malware-infected documents to the government of its host country, showing how the hackers are exploiting trusted, known contacts and using those them to infiltrate new organizations and extend their espionage network,” Check Point said in their report.
The hackers registered domain names with GoDaddy and used Alibaba for web hosting the infrastructure. The attacks used Aria-body backdoor. Some of the capabilities of Aria-body remote access terminal (RAT) malware are:
- Create and delete files and directories
- Take screenshots
- Search and launch files
- Collect metadata from files
- Close a TCP session
- Collect operating system information
RAT malware is a type of malicious computer code that can allow a hacker to remote control a computer as if they were sitting at the keyboard.
Aria-body malware was used to attack the governments of Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei. RoyalRoad was used in some of the attacks to drop Aria-body,
An advanced persistent threat group is a nation-state sponsored hacking organization that works on behalf of a government. They carry out various attacks on other nations, political organizations, high-profile public figures, critical infrastructure, research intuitions, and financial institutions. In general, APT groups collect sensitive data, conduct espionage, and steal money to fund operations on behalf of their nation.
APT groups carry out their cyber attack using a low-and-slow strategy. Their campaigns may carry on for months or years, evading detection because they do not overwhelm a network with a suspicious amount of heavy activity.
Naikon has been carrying out cyber espionage against including Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar and Brunei. However, the group also has a history of cyber attacks against Malaysia, Cambodia, Vietnam, Singapore, and Nepal
What is Naikon APT?
Naikon is an Advanced Persistent Threat Group attributed to China. In 2015, cyber security research firm Kaspersky Labs noted Naikon’s activity in a report. Then Naikon APT used a backdoor to compromise governmental organizations.
APT groups are assigned numbers as well as monikers by cyber security researchers so as not to offend the nations they operate in. Naikon is known as APT 30 or APT30. Their various monikers are Override Panda, Camerashy, APT.Naikon, Lotus Panda, and Hellsing.