Hacker group has targeted Asia Pacific governments in five-year campaign

Researchers at Check Point have uncovered a China-based hacker group that has been targeting multiple national Governments in the APAC region over the past five years, to gather political intelligence and conduct espionage.

Targets include Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar and Brunei. After infiltrating one government body, the hacker group uses that body’s contacts, documents and servers to launch targeted phishing attacks against new government targets.

The group, called 'Naikon', was first reported in 2015 as being responsible for attacks against top-level government agencies and related organizations in countries around the South China Sea. But during 2015 the group slipped off the radar. However, Check Point's research confirms that the group has not only been active for the past five years, but has also accelerated its cyber espionage activities in 2019 and early 2020.

Researchers were alerted when investigating an example of a malicious email with an infected document that was sent from a government embassy in APAC to the Australian government. The document contained an exploit which, when opened, infiltrates the user's PC and tries to download a sophisticated new backdoor malware called 'Aria-body' from external servers used by the Naikon group. Once installed it gives the group remote access to the infected PC or network, bypassing security measures.

"Naikon attempted to attack one of our customers by impersonating a foreign government -- that's when they came back onto our radar after a five-year absence, and we decided to investigate further," says manager of threat intelligence at Check Point, Lotem Finkelsteen. "Our research found that that Naikon is a highly motivated and sophisticated Chinese APT group. What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor. To evade detection, they were using exploits attributed to lots of APT groups, and uniquely using their victims' servers as command and control centers. We've published this research as a warning and resource for any government entity to better spot Naikon's or other hacker groups’ activities."

You can read more about the attacks and how they work on the Check Point blog.

Image credit: igorstevanovic / Shutterstock