Naikon, a threat actor that appears to be Chinese-speaking, has spent the last five years successfully infiltrating national organizations around the South China Sea. This advanced persistent threat (APT) is one of the most active in Asia.
Naikon’s primary targets are top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Thailand, Laos, China and Nepal. Kaspersky Lab has observed the group doing everything from setting up spying infrastructure within a country’s borders for real-time connections, to using spying tools with 48 commands.
The operation has certain hallmarks, according to researchers. For one, each target country has a designated human operator, whose job it is to take advantage of cultural idiosyncrasies of the country, such as a tendency to use personal email accounts for work.
For another, it places infrastructure (a proxy server) within the country’s borders to provide daily support for real-time connections and data exfiltration; platform-independent code is used to intercept entire networks’ traffic. The group has a reliance on an externally developed, consistent set of tools comprising a full-featured backdoor, a builder and an exploit builder—and a high success rate in infiltrating national organizations in ASEAN countries.
As mentioned, there are 48 commands in the repertoire of the remote administration utility, including commands for taking a complete inventory, downloading and uploading data, installing add-on modules, or working with the command line.
“The criminals behind the Naikon attacks managed to devise a very flexible infrastructure that can be set up in any target country, with information tunneling from victim systems to the command center,” said Kaspersky Lab principal security researcher, Kurt Baumgartner, in a statement. “If the attackers then decide to hunt down another target in another country, they could simply set up a new connection. Having dedicated operators focused on their own particular set of targets also makes things easy for the Naikon espionage group.”
Naikon’s targets are hit using traditional spear-phishing techniques, with emails carrying attachments designed to be of interest to the potential victim. This attachment might look like a Word document, but is in fact an executable file with a double extension.
Kaspersky also noted that every once in a while, the Naikon group clashes with other APT groups that are also active in the region. In particular, the firm noticed that the Naikon group was spear-phished by an actor it calls “Hellsing.”