Security Experts:

Connect with us

Hi, what are you looking for?



Naikon Attackers Targeted APAC Geo-Political Intel For Years: Kaspersky


The attack group “Naikon” has spent the last five years successfully infiltrating national organizations around the South China Sea in search of geo-political intelligence, Kaspersky Lab said late Wednesday evening.


The attack group “Naikon” has spent the last five years successfully infiltrating national organizations around the South China Sea in search of geo-political intelligence, Kaspersky Lab said late Wednesday evening.

Naikon is an advanced persistent threat actor with at least five years of high volume, high profile, geo-political activity, Kaspersky Lab researchers said in its latest report on the group. The attackers, who appear to be Chinese-speaking, have set up infrastructure in different countries with advanced data mining tools and spying tools. Their primary targets are top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal.

In one multi-year cyber-espionage campaign, Naikon infected computers with remote control modules and accessed employees’ corporate email and internal resources, along with personal and corporate email content hosted on external services.

Affected groups included the executive branch of the government, such as the Office of the President, Office of the Cabinet Secretary, and National Intelligence Coordination Agency. Federal police, department of justice, and the military offices were also targeted.

A few of these organizations were under continuous, real-time monitoring, Kaspersky said, while declining to identify the country.

The group has a “high success rate in infiltrating national organizations in ASEAN countries,” Kaspersky Lab said in its blog post.

While Naikon’s activities align closely with a group FireEye researchers have dubbed APT30, Kaspersky Lab researchers stopped short of saying they were the same, as they haven’t found any exact matches. “It is hardly surprising that there is an element of overlap, considering both actors have for years mined victims in the South China Sea area,” Kaspersky researchers wrote.

The Naikon group devised a very flexible infrastructure that can be set up in any target country, with information tunneling from victim systems to the command center, said Kurt Baumgartner, a principal security researcher with Kaspersky Lab’s Global Research and Analysis Team. The proxy server is located within the target country’s borders, which gives attackers daily support for their data extraction activities. If the attackers want to shift focus onto another target in a different country, they just need to set up a new connection.

The Naikon attackers rely on traditional spear phishing techniques to breach organizations, Kaspersky Lab said. The email attachments look like Word documents but are actually executables targeting a buffer overflow vulnerability in the ListView/TreeView Active X controls in Microsoft Common Controls library. The flaw affects Office 2003 SP3, 2007 SP2 and SP3, and 2010. When the victim opens the attachment, the executable installs spyware on the victim’s computer and displays a decoy document so that the victim remains unaware of what really happened.

Naikon’s spyware appears to be an externally developed application with three modules, a backdoor, a builder, and an exploit builder, researchers found. It injects platform-independent code into the browser memory along with information about the command-and-control server, user-agent string, filenames and paths for other attack components and hash sums of API functions. The main module is a remote administration utility capable of executing 48 commands, including taking complete inventory, downloading and uploading data to remote servers, installing add-on modules, and executing code on the command-line. Once the module is running, it uses SSL to establish a secure connection to the C&C server and checks for instructions.

Each target country has a designated human operator who is in charge of the attacks in that region. The human operator learns cultural norms and adapts it for the attacks, such as using personal email addresses for work-related correspondence, Kaspersky Lab researchers said. It was while the human operator was monitoring the targets that Naikon attackers set up the proxy servers to capture network traffic and provide real-time support.

“Having dedicated operators focused on their own particular set of targets also makes things easy for the Naikon espionage group,” Baumgartner said.

Naikon is the same group which attempted to infect the computers of government organizations, military, law enforcement, and civil aviation departments in Malaysian and several other countries shortly after Malaysia Airlines Flight MH370 disappeared. Naikon was trying to seal information related to the investigation of the flight and search efforts, Kaspersky Lab said last month. Kaspersky Lab researchers previously disclosed Naikon’s activities when discussing the group clashed with another APT group, Hellsing.  

Back in June 2013, Trend Micro exposed evidence of the Rarstone remote access tool (RAT) being used in targeted attacks against various organizations in the telecommunications and energy industries in Asia, by what appears to be the same group. 

Related: Rarstone RAT Being Used in Targeted Attacks in Asia: Trend Micro

Related: FireEye Uncovers Decade-Long Cyber Espionage Campaign Targeting South East Asia

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.