APT Group Wages 5-Year Cyber-Espionage Campaign: ReportNaikon Hacking Group Targeted Asia-Pacific Countries With New RAT
Over the last five years, a hacking group that’s apparently tied to China has been targeting government ministries in the Asia-Pacific region as part of a cyber-espionage campaign, according to Check Point Research.
The Naikon advanced persistent threat group has been using a new type of remote access Trojan called Aria-body as a backdoor into government networks, according to a new Check Point report. Its espionage campaign has targeted ministries of foreign affairs, science and technology in countries such as Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei, researchers note.
"What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber weapon with the Aria-body backdoor," says Lotem Finkelsteen, manager of threat intelligence at Check Point.
Naikon was first identified by Kaspersky researchers in 2015. At the time, analysts noted that the hackers, who appeared to be Chinese-speaking, were mainly targeting government agencies, as well as civilian and military organizations, in countries throughout Southeast Asia and the South China Sea.
After Kaspersky issued a report on Naikon, the group's activities appeared to stop. Not much was heard about the group until Check Point’s recent discovery. It now appears the group flew under the radar while developing new tools and carefully selecting targets.
"Naikon attempted to attack one of our customers by impersonating a foreign government - that’s when they came back onto our radar after a five-year absence, and we decided to investigate further," Finkelsteen says.
And while this espionage campaign has carried on for five years, Check Point notes that the group's activity increased in 2019 and the first quarter of 2020.
Remote Access Trojan
At the heart of this campaign is Aria-body, a remote access Trojan, or RAT, that appears to have first surfaced in 2018 and has been refined since then, according to Check Point. In addition to creating, searching and deleting files, Aria-body can take screenshots and work as a keylogger, the researchers note.
Over the years, the developers of Aria-body created more modules for the malware, such as a USB data gathering tool, according to Check Point.
A unique feature of Aria-body is that once it infects the network and servers of one target, it will then use that compromised infrastructure to launch new attacks, according to Check Point. In one case, the researchers found attacks stemming from a server that belonged the Philippine government’s Department of Science and Technology.
This is one reason why the Naikon cyber-espionage campaign continued for five years with little detection, the researchers say.
"Naikon's primary method of attack is to infiltrate a government body, then use that body's contacts, documents and data to launch attacks on others, exploiting the trust and diplomatic relations between departments and governments to increase the chances of its attack succeeding," the Check Point report states.
Attackers infect devices with the Aria-body RAT in several ways, researchers say. In one example, an email that appeared to come from an APAC embassy was sent to a recipient in the Australian government. That email contained an RTF file called "The Indians Way.doc," according to the report.
The RTF file was weaponized with what Check Point calls the RoyalRoad exploit builder, which takes advantage of certain vulnerabilities in Microsoft Word. If the victim opens the file, RoyalRoad will plant another file in the infected device, which acts as a loader. This loader then installs the final Aria-body payload, according to the report.
The New York Times reported that one of these malicious emails was sent on Jan. 3 from a compromised server belonging to the Indonesian Embassy in Australia to an employee at the office of Mark McGowan, the Premier of Western Australia.
A spokesperson for the Australian Department of Premier and Cabinet, however, told Information Security Media Group on Friday that the attack targeted an employee at a different department, not the premier’s office, and said the attack was unsuccessful.
"There is no evidence the Premier’s office has been hacked," according to the spokesperson. "The incident was reviewed by the Australian Cyber Security Center and the department’s email security system. No further action was necessary."
Link to China?
While the Check Point research does not link the Naikon hacking group with a particular nation-state, a 2015 report from security firms ThreatConnect and Defense Group Inc. linked the APT group to the Chinese military.
The report found that Naikon is associated with a unit of China's People’s Liberation Army that conducts intelligence and other operations in Southeast Asia and the South China Sea.
Executive Editor Jeremy Kirk contributed to this report.