sb-au logo
Story image

Check Point uncovers five year cyber espionage campaign

Check Point Software Technologies has identified and reported on a five year cyber espionage campaign that is targeting Asia Pacific governments.

Check Point Research, the Threat Intelligence arm of Check Point Software Technologies has uncovered the ongoing cyber espionage operations driven by Naikon, a Chinese APT group.

Specific targets in the APAC region include Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar and Brunei.

The method of attack is by using one government against another. For example, once the hackers have infiltrated one government body, the group uses that body’s contacts, documents and servers to launch targeted phishing attacks against new government targets.

Naikon’s primary method is exploit the trust and diplomatic relations between departments and governments to increase the chances of its attack succeeding.

The group has been working on the campaign since 2015, and throughout 2019 and Q1 2020 cyber espionage activities have accelerated.

Five years ago, it was first reported that Naikon was responsible for attacks against top-level government agencies and related organisations in countries around the South China Sea, in search of political intelligence.

However, the Naikon group disappeared later the same year with no new evidence or reports of activities found until 2019.

Check Point researchers have uncovered that the group has not only been active for the past five years, but has also accelerated its cyber espionage activities since last year.

Researchers were initially alerted when investigating an example of a malicious email with an infected document that was sent from a government embassy in APAC to the Australian government.

The document contained an exploit which, when opened, infiltrates the user’s PC and tries to download a sophisticated new backdoor malware called ‘Aria-body’ from external Web servers used by the Naikon group, to give the group remote access to the infected PC or network, bypassing security measures.

Further investigation revealed similar infection chains being used to deliver the Aria-body backdoor, but all follow a three-step pattern.

Step one is to impersonate an official government document to trick the recipient. Naikon starts by crafting an email and document that contains information of interest to the targets.

This can be based on information from open sources or on proprietary information stolen from other compromised systems, to avoid raising suspicion.

Step two is to infect documents with malware to infiltrate target systems. Check Point states Naikon includes a malicious downloader for the Aria-body backdoor in documents, to give it access to the targets’ networks.

Step three is to use governments’ own servers to continue and control attacks. Researchers found that Naikon is using the infrastructures and servers of its victims to launch new attacks, which helps to evade detection.

In one example, researchers found a server used in attacks belonged to the Philippine Government’s department of science and technology.

According to Check Point, the group specifically targets government ministries of foreign affairs, science and technology, as well as government-owned companies.

The motive is believed to be gathering of geo-political intelligence.

Check Point manager of Threat Intelligence Lotem Finkelsteen says, “Naikon attempted to attack one of our customers by impersonating a foreign government - that’s when they came back onto our radar after a five year absence, and we decided to investigate further.

“Our research found that Naikon is a highly motivated and sophisticated Chinese APT group. What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor.

“To evade detection, they were using exploits attributed to lots of APT groups, and uniquely using their victims’ servers as command and control centers. We’ve published this research as a warning and resource for any government entity to better spot Naikon’s or other hacker group’s activities."

Story image
Combine endpoint privilege management with these tools for maximum protection
By integrating an EPM solution with additional technologies, teams can manage the entire security tool stack more easily and enhance each component’s effectiveness.More
Story image
Pandemic sees organisations of all sizes and industries invest in CTI
There is opportunity for organisations to better manage their cyber-threat intelligence for greater security and threat intelligence effectiveness by adopting the right tools and processes.More
Link image
Virtual demo: Diagnose network cabling problems with the LinkIQ Cable+Network Tester
If you’re finding it difficult to install access points and cabling, or if you can’t pinpoint an issue with a video camera or end user, the LinkIQ Cable+Network Tester could be exactly what you need. Try a free, fully interactive demo now.More
Story image
Tesserent to acquire Secure Logic's managed security services business
Secure Logic delivered an audited turnover of $9 million in FY 2020 and a $4.2 million EBITDA, with reportedly ‘strong’ earnings going into FY 2021.More
Story image
Hackers offering forged “official” COVID vaccination certificates and negative test results on dark net 
There has been a 350% increase in the number of advertisements selling alleged COVID vaccines within the last three months.More
Story image
Ransomware and Microsoft Exchange attacks surging 
There are global surges in ransomware attacks alongside increases in cyber attacks targeting Microsoft Exchange Server vulnerabilities, according to Check Point Research.More