sb-as logo
Story image

Check Point uncovers five year cyber espionage campaign

Check Point Software Technologies has identified and reported on a five year cyber espionage campaign that is targeting Asia Pacific governments.

Check Point Research, the Threat Intelligence arm of Check Point Software Technologies has uncovered the ongoing cyber espionage operations driven by Naikon, a Chinese APT group.

Specific targets in the APAC region include Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar and Brunei.

The method of attack is by using one government against another. For example, once the hackers have infiltrated one government body, the group uses that body’s contacts, documents and servers to launch targeted phishing attacks against new government targets.

Naikon’s primary method is exploit the trust and diplomatic relations between departments and governments to increase the chances of its attack succeeding.

The group has been working on the campaign since 2015, and throughout 2019 and Q1 2020 cyber espionage activities have accelerated.

Five years ago, it was first reported that Naikon was responsible for attacks against top-level government agencies and related organisations in countries around the South China Sea, in search of political intelligence.

However, the Naikon group disappeared later the same year with no new evidence or reports of activities found until 2019.

Check Point researchers have uncovered that the group has not only been active for the past five years, but has also accelerated its cyber espionage activities since last year.

Researchers were initially alerted when investigating an example of a malicious email with an infected document that was sent from a government embassy in APAC to the Australian government.

The document contained an exploit which, when opened, infiltrates the user’s PC and tries to download a sophisticated new backdoor malware called ‘Aria-body’ from external Web servers used by the Naikon group, to give the group remote access to the infected PC or network, bypassing security measures.

Further investigation revealed similar infection chains being used to deliver the Aria-body backdoor, but all follow a three-step pattern.

Step one is to impersonate an official government document to trick the recipient. Naikon starts by crafting an email and document that contains information of interest to the targets.

This can be based on information from open sources or on proprietary information stolen from other compromised systems, to avoid raising suspicion.

Step two is to infect documents with malware to infiltrate target systems. Check Point states Naikon includes a malicious downloader for the Aria-body backdoor in documents, to give it access to the targets’ networks.

Step three is to use governments’ own servers to continue and control attacks. Researchers found that Naikon is using the infrastructures and servers of its victims to launch new attacks, which helps to evade detection.

In one example, researchers found a server used in attacks belonged to the Philippine Government’s department of science and technology.

According to Check Point, the group specifically targets government ministries of foreign affairs, science and technology, as well as government-owned companies.

The motive is believed to be gathering of geo-political intelligence.

Check Point manager of Threat Intelligence Lotem Finkelsteen says, “Naikon attempted to attack one of our customers by impersonating a foreign government - that’s when they came back onto our radar after a five year absence, and we decided to investigate further.

“Our research found that Naikon is a highly motivated and sophisticated Chinese APT group. What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor.

“To evade detection, they were using exploits attributed to lots of APT groups, and uniquely using their victims’ servers as command and control centers. We’ve published this research as a warning and resource for any government entity to better spot Naikon’s or other hacker group’s activities."

Story image
Using risk mitigation to protect your business from cybersecurity threats
Embracing digitisation comes with the promise of better service delivery, more in-depth data analytics, and efficient data handling practices. Sadly though, it also comes with the risk of cybersecurity threats. More
Story image
Fortinet holds position as fastest-growing SD-WAN vendor
According to a new Omida report, the company has seen a 247% revenue growth year-on-year. Plus, Fortinet announces Fortigate 80F.More
Story image
Adobe, IBM and Red Hat partner up to accelerate DX and real-time data security
"As companies undergo their digital transformations and move core workloads to the cloud, the entire C-suite is facing a re-framing of their roles to meet customer demands – all while keeping security front and centre."More
Story image
Businesses unprepared for bot attacks, despite awareness
Many businesses are aware of the threat of bot attacks, but believe they have the problem under control and are not adequately prepared for the level of risk. More
Story image
Interview: ThreatQuotient champions threat intelligence through virtual 'situation rooms'
To understand what it involves and some of the collaboration challenges that come with distributing threat intelligence amongst specialised security teams, we spoke to ThreatQuotient APJC regional director Anthony Stitt.More
Download image
451 Research: The new shape of the enterprise network
In this new world, distance has become the silent digital business killer. Latency looms large, especially for high-performance edge applications, IoT and 5G use cases. More