The attack group “Naikon” has spent the last five years successfully infiltrating national organizations around the South China Sea in search of geo-political intelligence, Kaspersky Lab said late Wednesday evening.
Naikon is an advanced persistent threat actor with at least five years of high volume, high profile, geo-political activity, Kaspersky Lab researchers said in its latest report on the group. The attackers, who appear to be Chinese-speaking, have set up infrastructure in different countries with advanced data mining tools and spying tools. Their primary targets are top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal.
In one multi-year cyber-espionage campaign, Naikon infected computers with remote control modules and accessed employees’ corporate email and internal resources, along with personal and corporate email content hosted on external services.
Affected groups included the executive branch of the government, such as the Office of the President, Office of the Cabinet Secretary, and National Intelligence Coordination Agency. Federal police, department of justice, and the military offices were also targeted.
A few of these organizations were under continuous, real-time monitoring, Kaspersky said, while declining to identify the country.
The group has a “high success rate in infiltrating national organizations in ASEAN countries,” Kaspersky Lab said in its blog post.
While Naikon’s activities align closely with a group FireEye researchers have dubbed APT30, Kaspersky Lab researchers stopped short of saying they were the same, as they haven’t found any exact matches. “It is hardly surprising that there is an element of overlap, considering both actors have for years mined victims in the South China Sea area,” Kaspersky researchers wrote.
The Naikon group devised a very flexible infrastructure that can be set up in any target country, with information tunneling from victim systems to the command center, said Kurt Baumgartner, a principal security researcher with Kaspersky Lab’s Global Research and Analysis Team. The proxy server is located within the target country’s borders, which gives attackers daily support for their data extraction activities. If the attackers want to shift focus onto another target in a different country, they just need to set up a new connection.
The Naikon attackers rely on traditional spear phishing techniques to breach organizations, Kaspersky Lab said. The email attachments look like Word documents but are actually executables targeting a buffer overflow vulnerability in the ListView/TreeView Active X controls in Microsoft Common Controls library. The flaw affects Office 2003 SP3, 2007 SP2 and SP3, and 2010. When the victim opens the attachment, the executable installs spyware on the victim’s computer and displays a decoy document so that the victim remains unaware of what really happened.
Naikon’s spyware appears to be an externally developed application with three modules, a backdoor, a builder, and an exploit builder, researchers found. It injects platform-independent code into the browser memory along with information about the command-and-control server, user-agent string, filenames and paths for other attack components and hash sums of API functions. The main module is a remote administration utility capable of executing 48 commands, including taking complete inventory, downloading and uploading data to remote servers, installing add-on modules, and executing code on the command-line. Once the module is running, it uses SSL to establish a secure connection to the C&C server and checks for instructions.
Each target country has a designated human operator who is in charge of the attacks in that region. The human operator learns cultural norms and adapts it for the attacks, such as using personal email addresses for work-related correspondence, Kaspersky Lab researchers said. It was while the human operator was monitoring the targets that Naikon attackers set up the proxy servers to capture network traffic and provide real-time support.
“Having dedicated operators focused on their own particular set of targets also makes things easy for the Naikon espionage group,” Baumgartner said.
Naikon is the same group which attempted to infect the computers of government organizations, military, law enforcement, and civil aviation departments in Malaysian and several other countries shortly after Malaysia Airlines Flight MH370 disappeared. Naikon was trying to seal information related to the investigation of the flight and search efforts, Kaspersky Lab said last month. Kaspersky Lab researchers previously disclosed Naikon’s activities when discussing the group clashed with another APT group, Hellsing.
Back in June 2013, Trend Micro exposed evidence of the Rarstone remote access tool (RAT) being used in targeted attacks against various organizations in the telecommunications and energy industries in Asia, by what appears to be the same group.