Chinese Military Cyber Spies Just Caught Crossing A ‘Very Dangerous’ New Line
“This is the most extensive operation we have ever reported by a Chinese APT group,” the cyber researchers at Check Point told me, warning just how “targeted and sophisticated” this five-year campaign had been. Multiple overseas governments have been compromised by this threat group’s cyber weapons, and those government systems have been used to attack other countries.
The military espionage group’s tactics, described by Check Point as “very dangerous,” involved hijacking diplomatic communication channels to target specific computers in particular ministries. The malware-laced communications might be sent from an overseas embassy to ministries in its home country, or to government entities in its host country. “The group has introduced a new cyber weapon crafted to gather intelligence on a wide scale, but also to follow intelligence officers directives to look for a specific filename on a specific machine.”
Meet Naikon, a cyber reconnaissance unit with links to the People’s Liberation Army, outed in a ThreatConnect and Defense Group Inc. report in 2015. Back then, the group’s operations were described as “regional computer network operations, signals intelligence, and political analysis of the Southeast Asian border nations, particularly those claiming disputed areas of the energy-rich South China Sea.”
And while Naikon has been seemingly quiet since then, nothing has changed. Check Point told me that it has actually been “penetrating diplomats’ PCs and taking over ministerial servers—making the group very successful in gathering intelligence from high-profile personnel and able to control critical assets.” The regional focus is the same. During those five-years, Naikon’s cyber weapons have targeted Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei.
Naikon’s stepping-stone approach, compromising one government to reach others, paints a clear picture of its sophistication here—this is beyond obfuscated false-flag operations. Check Point’s own investigation was triggered when “we observed a malicious email sent from a government embassy in APAC to the Australian government.” That RTF document was infected with ‘RoyalRoad’ malware, coded to drop files onto the infected computer which would then download others.
Check Point reported on this same exploit approach, also attributed to a Chinese APT, back in March—a number of documents disguised as coronavirus health warnings, purporting to come from the Mongolian government and targeting other public sector organizations inside the country. That exploit may have been similar, but the level of tradecraft was nowhere close to Naikon’s campaign.
“This is very sophisticated,” Check Point warns. “We saw [Naikon] spreading their malware through diplomatic emails between embassies and foreign governments to avoid detection of their communication with external, potentially malicious servers. They even took control of ministerial servers and turned them to their own.”
The ability to target a weapon at specific files on a specific individual’s machine in a specific government ministry can be a collection or deletion tool. “This is usually associated with nation states that want to rewind faulty actions and remove traces,” Check Point explains. And given the highly charged regional politics with China’s constant battle for influence and defensive superiority, playing neighbours with a mix of belt and road carrot and militaristic stick, this is notable.
“Check Point researchers have now blown Naikon’s cover,” the firm has said, “confirming that the group has not only been active for the past five years, but has also accelerated its cyber espionage activities. Naikon’s primary method of attack is to infiltrate a government body, then use that body’s contacts, documents and data to launch attacks on others, exploiting the trust and diplomatic relations between departments and governments to increase the chances of its attack succeeding.”
The campaign discovered by Check Point includes the sophisticated cyber weapon able to compromise government systems, but also an extensive intelligence operation that determined targets and crafted the lures that baited emails being sent from one government entity to another. Sitting inside the trusted ecosystem, those emails would slip the security nets. The crafted subject matters then had specifically targeted individuals in mind. “In one example, a server used in attacks belonged to the Philippine Government’s Department of Science and Technology.”
At the heart of Naikon’s campaign was the “Aria-body” loader, a malware dating back to 2017 that is designed to open a backdoor to the APT’s command and control servers. Once executed, the loader establishes itself in the startup folder or registry of the infected machine, and then downloads a more malicious remote access trojan (RAT) from its external server, before decrypting and installing it on the machine.
The Arian-body RAT can be instructed to create or delete files or entire directories, take screenshots, search across files and gather metadata, and even log locations and keystrokes. “Its purpose,” Check Point says, “is to gather intelligence and spy on the countries whose governments it has targeted. This includes locating and collecting specific documents from infected computers and networks, but also extracting data removable drives, and taking screenshots and keylogging.”
Check Point attributed the campaign to Naikon based on similarities between the code in these exploits and those reported back in 2015. “We’ve published this research as a warning and resource for any government entity to better spot Naikon’s or other hacker group’s activities,” the firm’s Lotem Finkelsteen said on publishing his team’s findings.
Source: Getty