Check Point uncovers five year cyber espionage campaign
Check Point Software Technologies has identified and reported on a five year cyber espionage campaign that is targeting Asia Pacific governments.
Check Point Research, the Threat Intelligence arm of Check Point Software Technologies has uncovered the ongoing cyber espionage operations driven by Naikon, a Chinese APT group.
Specific targets in the APAC region include Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar and Brunei.
The method of attack is by using one government against another. For example, once the hackers have infiltrated one government body, the group uses that body’s contacts, documents and servers to launch targeted phishing attacks against new government targets.
Naikon’s primary method is exploit the trust and diplomatic relations between departments and governments to increase the chances of its attack succeeding.
The group has been working on the campaign since 2015, and throughout 2019 and Q1 2020 cyber espionage activities have accelerated.
Five years ago, it was first reported that Naikon was responsible for attacks against top-level government agencies and related organisations in countries around the South China Sea, in search of political intelligence.
However, the Naikon group disappeared later the same year with no new evidence or reports of activities found until 2019.
Check Point researchers have uncovered that the group has not only been active for the past five years, but has also accelerated its cyber espionage activities since last year.
Researchers were initially alerted when investigating an example of a malicious email with an infected document that was sent from a government embassy in APAC to the Australian government.
The document contained an exploit which, when opened, infiltrates the user’s PC and tries to download a sophisticated new backdoor malware called ‘Aria-body’ from external Web servers used by the Naikon group, to give the group remote access to the infected PC or network, bypassing security measures.
Further investigation revealed similar infection chains being used to deliver the Aria-body backdoor, but all follow a three-step pattern.
Step one is to impersonate an official government document to trick the recipient. Naikon starts by crafting an email and document that contains information of interest to the targets.
This can be based on information from open sources or on proprietary information stolen from other compromised systems, to avoid raising suspicion.
Step two is to infect documents with malware to infiltrate target systems. Check Point states Naikon includes a malicious downloader for the Aria-body backdoor in documents, to give it access to the targets’ networks.
Step three is to use governments’ own servers to continue and control attacks. Researchers found that Naikon is using the infrastructures and servers of its victims to launch new attacks, which helps to evade detection.
In one example, researchers found a server used in attacks belonged to the Philippine Government’s department of science and technology.
According to Check Point, the group specifically targets government ministries of foreign affairs, science and technology, as well as government-owned companies.
The motive is believed to be gathering of geo-political intelligence.
Check Point manager of Threat Intelligence Lotem Finkelsteen says, “Naikon attempted to attack one of our customers by impersonating a foreign government - that’s when they came back onto our radar after a five year absence, and we decided to investigate further.
“Our research found that Naikon is a highly motivated and sophisticated Chinese APT group. What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor.
“To evade detection, they were using exploits attributed to lots of APT groups, and uniquely using their victims’ servers as command and control centers. We’ve published this research as a warning and resource for any government entity to better spot Naikon’s or other hacker group’s activities."