Naikon Hackers Take Aim At Asia-Pacific Nations, Warns Kaspersky

Security specialists Kaspersky Lab has warned of an active hacker collective that goes by the name of Naikon and is targeting a number of countries in the South China Sea area.

The group has apparently infiltrated a number of government, civil and military organisations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Thailand, Laos, China and Nepal.

Organised

The existence of Naikon was revealed by Kaspersky in a new report. It said that the group has been operating for at least five years, and has carried out a “high volume, high profile, geo-political attack activity”.

Naikon tends to focus on particular geographic areas, and the hackers utilise a dynamic, well organised infrastructure. They have apparently been highly successful in infiltrating national organisations in the region, and they rely on backdoors and other hacking tools including an exploit builder.

“In the spring of 2014, we noticed an increase in the volume of attack activity by the Naikon APT,” wrote Kaspersky. “The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organisations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.”

It seems that the Naikon hackers typically begin an attack with an email carrying an attachment that contains information of interest to the potential victim. This “bait” document appears to be a standard Word document, but is in fact an executable with a double extension that can execute code without the user’s knowledge or consent. When the executable is launched, spyware is installed on the victim computer. At the same time, a decoy document is displayed on the victims computer, so the user is fooled into thinking he or she has only opened a document.

“There are 48 commands in the module’s repertoire, which a remote operator can use to effectively control the victim computer,” said Kaspersky.

Intelligence Gathering

Interestingly, a C&C server is placed within a particular country in order assist with the data extraction and support real-time connections.

This level of sophistication strongly suggests that a nation state could be behind the Naikon hackers. Indeed, it seems that the purpose of Naikon is to conduct cyber-espionage campaigns for many years against particular countries.

Kaspersky cited an unnamed country, and said that Naikon had infiltrated a number of national organisations in that country including the Office of the President; Military Forces; Office of the Cabinet Secretary; National Security Council; Intelligence Services; Civil Aviation Authority; and the Department of Justice, to name but a few.

The hackers apparently had access to corporate email and internal resources, as well as access to personal and corporate email content hosted on external services.

“A few of these organisations were key targets and under continuous, real-time monitoring,” said Kaspersky. “It was during operator X’s network monitoring that the attackers placed Naikon proxies within the countries’ borders, to cloak and support real-time outbound connections and data exfiltration from high-profile victim organisations.

Cyber Threat

This is not the first that cyber-espionage cases like this have been exposed. Last year Symantec warned of an ongoing cyber-espionage campaign which targetted the governments and embassies of the former Eastern Bloc countries.

Meanwhile it was alleged last month that the Russian government had hacked into the White House’s computer systems. The hackers had first penetrated the State Department’s email system last October and were “likely working for the Russian government”.

And countries are beginning to protect themselves. President Obama recently launched a US sanctions program, which for the first time ever, will use sanctions to financially punish individuals and groups outside the United States who are involved with malicious cyber attacks.

Are you a security expert? Try our quiz!