A China-based group has quietly carried out cyber espionage against Southeast Asian governments during the past few years, collecting “specific documents,” among other data, from infected computers, a cybersecurity company said in a report.
Naikon, a group of hackers, deployed a software called Aria-body to target government agencies and technology firms in Indonesia, Thailand, the Philippines, Vietnam, Myanmar and Brunei, and even in Australia, according to a report released Thursday by Check Point Research, an Israeli security company.
“In this campaign, we uncovered the latest iteration of what seems to be a long-running Chinese-based operation against various government entities,” Check Point said in its extensive report available online. “Throughout our research, we witnessed several different infection chains being used to deliver the Aria-body backdoor.”
“This includes not only locating and collecting specific documents from infected computers and networks within government departments, but also extracting data from removable drives, taking screenshots and keylogging, and of course harvesting the stolen data for espionage,” it said.
Check Point Research did not say if Naikon was backed by the Chinese government.
But a September 2015 report from cyber intelligence companies Defense Group and ThreatConnect, both U.S.-based firms, identified Naikon as “associated” with China’s People’s Liberation Army (PLA).
The two companies said they fused “technical analysis with Chinese language research and expertise” to document the sophisticated cyber espionage campaign by the PLA unit “with interests in the South China Sea.”
An email sent by BenarNews. an RFA-affiliated online news service, to the media relations officer of the Chinese embassy in Washington on Friday was not immediately returned.
Meanwhile in Jakarta, Anton Setiawan, spokesman for Indonesia’s National Cyber and Cryptography Agency, acknowledged awareness of the report by Check Point.
“We will discuss this internally first,” he told BenarNews on Friday.
In Bangkok, a staff member of the Thai government’s IT security watchdog THAICERT also told BenarNews that its members would probe the allegations in the report.
“We have a team to investigate this matter, based on the report, to see if it is true or not. If it is true, we will alert agencies who might have been affected by the hackers to be careful,” said the staff member, who asked not to be named because he was not authorized to speak to the media.
The nations that were allegedly hacked – except for Australia, Thailand and Myanmar – have overlapping territorial claims in the South China Sea, where about U.S. $5 trillion in ship-borne trade passes through each year. China claims most of the resource-rich region on historical grounds.
“The Naikon group has been running a longstanding operation, during which it has updated its new cyberweapon time and time again, built an extensive offensive infrastructure and worked to penetrate many governments across Asia and the Pacific,” Lotem Finkelstein, head of the cyber-threat intelligence group at Check Point, said in a statement.
“In operations following the original 2015 report, we have observed the use of a backdoor named Aria-body against several national governments, including Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei,” Check Point said, referring to the study by the two U.S. security firms five years ago.
Aria-body, the intrusive new tool used by the hackers, has alarmed security researchers because it could infiltrate a government agency using an ordinary Word document to penetrate any computer from which data from the attacked state department would flow into the servers used by the hackers, according to Check Point.
After Naikon was investigated by the two American cybersecurity companies five years ago, it “slipped off the radar,” according to Check Point. But the firm said it had recently discovered that the hacking group had actually been active during the past 10 years, but only “accelerated its cyber espionage activities in 2019” and the first quarter of this year.
“By comparing with previously reported activity, we can conclude that the Naikon APT group has been persistently targeting the same region in the last decade,” Check Point said in a statement.
The targeted government entities include foreign affairs, science and technology ministries, as well as government-owned companies, it said.
“Given the characteristics of the victims and capabilities presented by the group, it is evident that the group’s purpose is to gather intelligence and spy on the countries whose Governments it has targeted,” Check Point said.