A new report by Kaspersky Lab shows how the threat actor Naikon spent the last five years successfully infiltrating national organisations around the South China Sea – including setting up spying infrastructure within a country’s borders for realtime connections and data mining, and launching spying tools with 48 commands.
Experts have discovered that Naikon attackers appear to be Chinese-speaking and that their primary targets are top-level government agencies and civil and military organisations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, Thailand, Laos and China.
Kaspersky Lab has identified the following hallmarks of Naikon operations:
* At least five years of high volume, high profile, geo-political attack activity;
* Each target country has a designated human operator, whose job it is to take advantage of cultural aspects of the country, such as a tendency to use personal email accounts for work;
* The placing of infrastructure (a proxy server) within the country’s borders to provide daily support for real-time connections and data exfiltration;
* Platform-independent code, and the ability to intercept the entire network traffic; and
* 48 commands in the repertoire of the remote administration utility, including commands for taking a complete inventory, downloading and uploading data, installing add-on modules, or working with the command line.
The Naikon cyberespionage threat actor was first mentioned by Kaspersky Lab in its recent report, “The Chronicles of Hellsing APT: the Empire Strikes Back”, where the actor played a pivotal role in what turned out to be a unique story about payback in the world of advanced persistent threats. Hellsing is another threat actor who decided to take revenge when hit by Naikon.
“The criminals behind the Naikon attacks managed to devise a very flexible infrastructure that can be set up in any target country, with information tunnelling from victim systems to the command centre. If the attackers then decide to hunt down another target in another country, they could simply set up a new connection. Having dedicated operators focused on their own particular set of targets also makes things easy for the Naikon espionage group,” says Kurt Baumgartner, principal security researcher in the GreAT team at Kaspersky Lab.
Naikon’s targets are hit using traditional spear-phishing techniques, with emails carrying attachments designed to be of interest to the potential victim. This attachment might look like a Word document, but is in fact an executable file with a double extension.
Kaspersky Lab advises organisations to protect themselves against Naikon as follows:
* Don’t open attachments and links from people you don’t know;
* Use an advanced anti-malware solution;
* If you are unsure about the attachment, try to open it in a sandbox; and
* Make sure you have an up-to-date version of your operating system with all patches installed.