Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Naikon Attackers Targeted APAC Geo-Political Intel For Years: Kaspersky

APT30

The attack group “Naikon” has spent the last five years successfully infiltrating national organizations around the South China Sea in search of geo-political intelligence, Kaspersky Lab said late Wednesday evening.

APT30

The attack group “Naikon” has spent the last five years successfully infiltrating national organizations around the South China Sea in search of geo-political intelligence, Kaspersky Lab said late Wednesday evening.

Naikon is an advanced persistent threat actor with at least five years of high volume, high profile, geo-political activity, Kaspersky Lab researchers said in its latest report on the group. The attackers, who appear to be Chinese-speaking, have set up infrastructure in different countries with advanced data mining tools and spying tools. Their primary targets are top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal.

In one multi-year cyber-espionage campaign, Naikon infected computers with remote control modules and accessed employees’ corporate email and internal resources, along with personal and corporate email content hosted on external services.

Affected groups included the executive branch of the government, such as the Office of the President, Office of the Cabinet Secretary, and National Intelligence Coordination Agency. Federal police, department of justice, and the military offices were also targeted.

A few of these organizations were under continuous, real-time monitoring, Kaspersky said, while declining to identify the country.

The group has a “high success rate in infiltrating national organizations in ASEAN countries,” Kaspersky Lab said in its blog post.

While Naikon’s activities align closely with a group FireEye researchers have dubbed APT30, Kaspersky Lab researchers stopped short of saying they were the same, as they haven’t found any exact matches. “It is hardly surprising that there is an element of overlap, considering both actors have for years mined victims in the South China Sea area,” Kaspersky researchers wrote.

The Naikon group devised a very flexible infrastructure that can be set up in any target country, with information tunneling from victim systems to the command center, said Kurt Baumgartner, a principal security researcher with Kaspersky Lab’s Global Research and Analysis Team. The proxy server is located within the target country’s borders, which gives attackers daily support for their data extraction activities. If the attackers want to shift focus onto another target in a different country, they just need to set up a new connection.

Advertisement. Scroll to continue reading.

The Naikon attackers rely on traditional spear phishing techniques to breach organizations, Kaspersky Lab said. The email attachments look like Word documents but are actually executables targeting a buffer overflow vulnerability in the ListView/TreeView Active X controls in Microsoft Common Controls library. The flaw affects Office 2003 SP3, 2007 SP2 and SP3, and 2010. When the victim opens the attachment, the executable installs spyware on the victim’s computer and displays a decoy document so that the victim remains unaware of what really happened.

Naikon’s spyware appears to be an externally developed application with three modules, a backdoor, a builder, and an exploit builder, researchers found. It injects platform-independent code into the browser memory along with information about the command-and-control server, user-agent string, filenames and paths for other attack components and hash sums of API functions. The main module is a remote administration utility capable of executing 48 commands, including taking complete inventory, downloading and uploading data to remote servers, installing add-on modules, and executing code on the command-line. Once the module is running, it uses SSL to establish a secure connection to the C&C server and checks for instructions.

Each target country has a designated human operator who is in charge of the attacks in that region. The human operator learns cultural norms and adapts it for the attacks, such as using personal email addresses for work-related correspondence, Kaspersky Lab researchers said. It was while the human operator was monitoring the targets that Naikon attackers set up the proxy servers to capture network traffic and provide real-time support.

“Having dedicated operators focused on their own particular set of targets also makes things easy for the Naikon espionage group,” Baumgartner said.

Naikon is the same group which attempted to infect the computers of government organizations, military, law enforcement, and civil aviation departments in Malaysian and several other countries shortly after Malaysia Airlines Flight MH370 disappeared. Naikon was trying to seal information related to the investigation of the flight and search efforts, Kaspersky Lab said last month. Kaspersky Lab researchers previously disclosed Naikon’s activities when discussing the group clashed with another APT group, Hellsing.  

Back in June 2013, Trend Micro exposed evidence of the Rarstone remote access tool (RAT) being used in targeted attacks against various organizations in the telecommunications and energy industries in Asia, by what appears to be the same group. 

Related: Rarstone RAT Being Used in Targeted Attacks in Asia: Trend Micro

Related: FireEye Uncovers Decade-Long Cyber Espionage Campaign Targeting South East Asia

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.