High-level, state-sponsored Naikon hackers exposed

The activities of yet another long-running apparently state-sponsored hacking crew have finally been exposed.

The Naikon cyber-espionage group has been targeting government, military and civil organisations around the South China Sea for at least five years, according to researchers at Kaspersky Lab.

The Naikon attackers appear to be Chinese-speaking and chiefly interested in top-level government agencies and civil and military organisations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal.

The group relies on standard cyber-spy tactics: custom malware and spear phishing featuring emails carrying attachments designed to be of interest to the potential victim. This attachment might look like a Word document, but is in fact an executable file with a double extension.

Naikon has developed platform-independent code and the ability to intercept the entire network traffic, marking them out as more capable than the norm.

The remote access trojan routinely used by the crew comes with 48 commands, including instructions for downloading and uploading data, installing add-on modules or working with the command line.

Each target country has a designated human operator, whose job it is to take advantage of cultural aspects of the country, such as a tendency to use personal email accounts for work.

As well as this social engineering to fine-tune targeting, the group also routinely places its hacking command and control infrastructure (a proxy server) within the country’s borders to facilitate real-time connections and data exfiltration.

The tactic means that suspicious traffic is not travelling outside a target's country and is therefore less likely to be flagged as potentially dodgy and subjected to further scrutiny.

"The criminals behind the Naikon attacks managed to devise a very flexible infrastructure that can be set up in any target country, with information tunnelling from victim systems to the command centre," explained Kurt Baumgartner, principal security researcher at Kaspersky Lab. "If the attackers then decide to hunt down another target in another country, they could simply set up a new connection. Having dedicated operators focused on their own particular set of targets also makes things easy for the Naikon espionage group."

The Naikon crew recently locked horns with Hellsing, another cyberspy group. The incident prompted Kaspersky Lab researchers, who were already looking into Hellsing, to cast their attention towards Naikon.

A full write-up of Kaspersky's findings on the Naikon cyberspies can be found in a blog post here. ®