Israeli cybersecurity firm Checkpoint claimed that Naikon, a China-based hacking group, has been conducting a five-year cyber espionage campaign against Asia-Pacific governments after it previously “slipped off the radar.”
According to Checkpoint, Naikon has so far targeted the ministries of foreign affairs, science and technology, as well as government-owned companies of nations including Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar, and Brunei.
Naikon, which aims to gather geopolitical intelligence, was discovered by security researchers in 2015 and has been active for the past five years but “accelerated its cyber espionage activities in 2019 and Q1 2020,” as asserted by Check Point.
The cybersecurity firm, however, said it had “slipped off the radar, with no new evidence or reports of activities found” until now.
A 2015 report by ThreatConnect, a Washington-based security company, linked Naikon to the Chinese government, alleging that it is a unit of the Chinese People’s Liberation Army (PLA).
The hacking group appeared to operate as part of the military’s Second Technical Reconnaissance Bureau, Unit 78020, based mainly in the southern city of Kunming, according to ThreatConnect. It is said to be responsible for China’s cyber operations and technological espionage in Southeast Asia and the South China Sea, where Beijing is embroiled in territorial disputes with its neighbors.
According to reports, Naikon will attempt to infiltrate a government body and use the stolen information it acquires there — such as contacts and documents — to attack other departments within that country’s government.
Check Point said it was alerted when it found an email with a document attached that contained malicious software, also known as malware.
When the document is opened, it infiltrates a user’s computer and attempts to download another piece of malware called “Aria-body.” This gives the hackers remote access to that computer or network, and bypasses security measures, Check Point said.
The group uses so-called spear-phishing, where it sends an email with the infected document that looks like it comes from a trusted source, in this case, another government official. They’re able to get information to create fake emails from previous successful attacks or public data.
Once they’re inside a network, they can launch further attacks without detection.
Furthermore, Lotem Finkelsteen, manager of threat intelligence at Check Point, said in a statement, “What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor.”
China’s cyber espionage efforts have shown no sign of relenting globally, even though tensions with Australia, the United States, and other countries have risen over trade, technology, and, more recently, disputes over the coronavirus pandemic.
Experts say it aims to steal vast amounts of data from foreign governments and companies.
“This may be different in design, but these attacks all have the same purpose,” said Matthew Brazil, a former American diplomat and author of a new book on Chinese espionage, referring to Aria-body. (Edited from an article written by Arjun Kharpal, CNBC)