The China-based Naikon APT group has finally been unmasked after five long years of espionage campaigns against various governments in the APAC region. The group used a backdoor named Aria-body, which was first detected in 2015.
What is happening?
Since the last five years, the threat actor has been targeting a specific region, i.e. Asia-Pacific. The backdoor has been used against national governments in Indonesia, Australia, The Philippines, Brunei, Thailand, and Myanmar. The targeted government entities include foreign affairs, science & technology ministries, and government-owned organizations.
- Naikon APT compromises a government entity and then uses this compromised entity to attack another entity.
- Various infection chains are used to deliver the backdoor.
- GoDaddy is used as the registrar and Alibaba is used to host the attacker’s infrastructure.
What the experts are saying
- This is the most extensive operation ever carried out by a China-based APT group.
- It is suspected that since 2015, the group has been penetrating the personal computers of diplomats and hijacking ministerial servers. This makes the threat actor highly successful in collecting intel.
- The malware has been spotted to be spread via diplomatic emails between governments and embassies to evade detection in their communications networks.
- Although it may seem that the group was under the radar since 2015, it doesn’t seem to be the case. They have been utilizing new server infrastructure and a new backdoor, along with other techniques.
- The new variant of Aria-body contains a USB monitor module but lacks a reverse-socks module and keylogger component.
The entire report has been published by Check Point to be used as a resource by governments. The campaign is an extensive intelligence operation and the tactics employed by the espionage group are dangerous.