Peking Tom: Naikon APT Conducting Cyberespionage in APAC

The China-based Naikon APT group has finally been unmasked after five long years of espionage campaigns against various governments in the APAC region. The group used a backdoor named Aria-body, which was first detected in 2015.  

What is happening?

Since the last five years, the threat actor has been targeting a specific region, i.e. Asia-Pacific. The backdoor has been used against national governments in Indonesia, Australia, The Philippines, Brunei, Thailand, and Myanmar. The targeted government entities include foreign affairs, science & technology ministries, and government-owned organizations.

The situation

  • Naikon APT compromises a government entity and then uses this compromised entity to attack another entity.
  • Various infection chains are used to deliver the backdoor. 
  • GoDaddy is used as the registrar and Alibaba is used to host the attacker’s infrastructure. 

What the experts are saying

  • This is the most extensive operation ever carried out by a China-based APT group. 
  • It is suspected that since 2015, the group has been penetrating the personal computers of diplomats and hijacking ministerial servers. This makes the threat actor highly successful in collecting intel.
  • The malware has been spotted to be spread via diplomatic emails between governments and embassies to evade detection in their communications networks. 

What else

  • Although it may seem that the group was under the radar since 2015, it doesn’t seem to be the case. They have been utilizing new server infrastructure and a new backdoor, along with other techniques.
  • The new variant of Aria-body contains a USB monitor module but lacks a reverse-socks module and keylogger component.

In essence

The entire report has been published by Check Point to be used as a resource by governments. The campaign is an extensive intelligence operation and the tactics employed by the espionage group are dangerous.