Naikon Hackers Take Aim At Asia-Pacific Nations, Warns Kaspersky

Security specialists Kaspersky Lab has warned of an active hacker collective that goes by the name of Naikon and is targeting a number of countries in the South China Sea area.

The group has apparently infiltrated a number of government, civil and military organisations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Thailand, Laos, China and Nepal.

Organised

The existence of Naikon was revealed by Kaspersky in a new report. It said that the group has been operating for at least five years, and has carried out a “high volume, high profile, geo-political attack activity”.

Naikon tends to focus on particular geographic areas, and the hackers utilise a dynamic, well organised infrastructure. They have apparently been highly successful in infiltrating national organisations in the region, and they rely on backdoors and other hacking tools including an exploit builder.

“In the spring of 2014, we noticed an increase in the volume of attack activity by the Naikon APT,” wrote Kaspersky. “The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organisations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.”

It seems that the Naikon hackers typically begin an attack with an email carrying an attachment that contains information of interest to the potential victim. This “bait” document appears to be a standard Word document, but is in fact an executable with a double extension that can execute code without the user’s knowledge or consent. When the executable is launched, spyware is installed on the victim computer. At the same time, a decoy document is displayed on the victims computer, so the user is fooled into thinking he or she has only opened a document.

“There are 48 commands in the module’s repertoire, which a remote operator can use to effectively control the victim computer,” said Kaspersky.

Intelligence Gathering

Interestingly, a C&C server is placed within a particular country in order assist with the data extraction and support real-time connections.

This level of sophistication strongly suggests that a nation state could be behind the Naikon hackers. Indeed, it seems that the purpose of Naikon is to conduct cyber-espionage campaigns for many years against particular countries.

Kaspersky cited an unnamed country, and said that Naikon had infiltrated a number of national organisations in that country including the Office of the President; Military Forces; Office of the Cabinet Secretary; National Security Council; Intelligence Services; Civil Aviation Authority; and the Department of Justice, to name but a few.

The hackers apparently had access to corporate email and internal resources, as well as access to personal and corporate email content hosted on external services.

“A few of these organisations were key targets and under continuous, real-time monitoring,” said Kaspersky. “It was during operator X’s network monitoring that the attackers placed Naikon proxies within the countries’ borders, to cloak and support real-time outbound connections and data exfiltration from high-profile victim organisations.

Cyber Threat

This is not the first that cyber-espionage cases like this have been exposed. Last year Symantec warned of an ongoing cyber-espionage campaign which targetted the governments and embassies of the former Eastern Bloc countries.

Meanwhile it was alleged last month that the Russian government had hacked into the White House’s computer systems. The hackers had first penetrated the State Department’s email system last October and were “likely working for the Russian government”.

And countries are beginning to protect themselves. President Obama recently launched a US sanctions program, which for the first time ever, will use sanctions to financially punish individuals and groups outside the United States who are involved with malicious cyber attacks.

Are you a security expert? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Generative AI Not Replacing UK Jobs, Study Finds

Study finds UK organisations broadly deploying generative AI to support existing jobs, but execs say…

3 hours ago

Google Must Face Trial In Ad Tech Monopoly Case

Google loses bid for summary judgement as judge says 'too many facts in dispute' as…

16 hours ago

Silicon In Focus Podcast: Feeding the Machine

Learn how your business can meet the challenges associated with managing data across multiple platforms…

16 hours ago

Apple, Meta Likely To Face EU Antitrust Charges

Apple, Facebook parent Meta reportedly likely to face EU antitrust charges before August under new…

16 hours ago

Adobe Shares Jump On AI Success

Adobe shares post biggest gains in more than four years after it reports user take-up…

17 hours ago

Winklevoss’ Gemini To Pay $50m In Crypto Fraud Settlement

Winklevoss twins' Gemini Trust to pay $50m to settle cypto fraud claims over failed Gemini…

17 hours ago