SAN FRANCISCO – A cyber-espionage group targeting government, military and civil organizations around Asia for much of the past five years used sophisticated spear phishing emails to lure unsuspecting users, according to a report released Wednesday night by the security firm Kaspersky Lab.
The Naikon group are likely supported by a nation state. Kaspersky stopped short of clearly naming China as the country behind the group, saying it wasn't their policy to do so.
"Naikon attackers appear to be Chinese-speaking and that their primary targets are top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal," wrote Kurt Baumgartner, principal security researcher, for Kaspersky. "The criminals behind the Naikon attacks managed to devise a very flexible infrastructure that can be set up in any target country, with information tunneling from victim systems to the command center. If the attackers then decide to hunt down another target in another country, they could simply set up a new connection."
The spear phishing emails were written in the languages of the countries they targeted and were specific to the person they were aiming to bait, wrote Kaspersky. The hackers exploited well-known vulnerabilities through a remote access tool embedded in a fake Microsoft Word document attached to the email. The Kaspersky Lab, which researches global trends in hacking, also provide security services and advice to companies.
While Kaspersky linked Naikon to another spy group named APT30 by FireEye, (who they wrote had similar targets), they stopped short of naming them as the part of the same effort. APT stands for advanced persistent threat, and is the shorthand given to a steady and continuous hacking effort.
Meanwhile, researchers at FireEye reported on attacks they attributed to Chinese hackers who are part of a group they named as APT17, or DeputyDog.
"DeputyDog, is a China- based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations," according to the FireEye report.
The group used Microsoft's support blog, TechNet to masquerade malicious communication as normal web traffic.
"[This] malware is capable of uploading, downloading, renaming, moving, or deleting files, terminating processes, or adding new backdoor commands to a system," said aid Kyrksen Storer, spokesman for FireEye. "The interesting thing is in the heart of what they did. They used the inherent functionality of the blog – like posting in forums with other users – to hide what they were really doing."
He added that the technique was currently rare, but was being adopted across social media sites, including Twitter and Facebook.
"Phishing links are rising on Facebook and Twitter and other social media sites. Not only are phishing emails hopping over to social media from email, They are using social media's built-in functionality, in terms of the high frequency of users on it, to hide all their adversarial activity," said Storer.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.