On May 7, a leading team of cyber threat experts reported on a string of cyberattacks by Naikon APT, a group of hackers with ties to China’s military.
The attack, directed at countries in the Asia Pacific (APAC) region, used what is known as a backdoor tool called “Aria-body.” The New York Times reported on the attack, which was initially discovered by an Israel-based cyber firm, Check Point.
This type of cyberattack, which can give hackers access to and even control of foreign government computer systems, is standard in the world of cyber espionage. Though the group behind this recently uncovered attack has ties to the Chinese government, cyberattacks have become a part of many countries’ arsenals, including the United States.
What is Aria-body?
Aria-body is what is known as a backdoor, a common hacking term for any tool that is used to gain access to a computer or server without using the traditional access points.
Backdoors are not merely used by hackers. An administrator or software creator may legitimately use one to repair or clean a system. They provide high-level access to a system and are often necessary for proper maintenance. However, when backdoors are used by hackers, they can give unauthorized users access to sensitive information, or even allow that person to control the system.
While a backdoor may be part of the original programming, hackers utilize different ways to plant their backdoor tools on a targeted computer or system. This is often done with what is known as a Remote Access Trojan (RAT).
Like a Trojan virus, RAT is a reference to the Greek story of the Trojan Horse. It’s a dangerous tool hidden inside a seemingly innocuous file. Trojan software of this type is also known as malware.
Backdoor tools can do different things, but in the specific case of Aria-body, they are designed, according to Check Point, to gather “data on the victim’s machine, including: Host-name, computer-name, username, domain name, windows version, processor ~MHz, MachineGuid, 64bit or not, and public IP.”
What is Naikon APT?
The activities of Naikon APT, the group behind the Aria-body-based attack that communicates in Chinese, have been tracked for years. In 2015, two cyber security groups, ThreatConnect and Defense Group Inc., released an extensive report on the group which, they claimed, was responsible for “targeted cyber espionage infrastructure activity.”
APT stands for Advanced Persistent Threat and can refer to any type of cyberthreat actor, though it is most often associated with state-backed groups.
The main actor in the report is Ge Xing, a hacker known as GreenSky27, who is alleged to be part of China’s official army, the People’s Liberation Army (PLU). Ge’s specific unit was the Chengdu Military Region Second Technical Reconnaissance Bureau, or simply Unit 78020.
This unit, which oversaw state-funded hacking initiatives, was found to be tied to the activities of Naikon APT.
Naikon APT, which first came to the broader attention of cyber security experts in June 2013, has, in the words of a ThreatPost analysis of the report, stolen “sensitive data and intellectual property from military, diplomatic and enterprise targets in a number of Asian countries, as well as the United Nations Development Programme and the Association of Southeast Asian Nations (ASEAN).”
Who were the most recent targets?
The targets of Naikon APT have by and large been localized to Southeast Asia and countries around the South China Sea. These groups are frequently grouped together as APAC, a geographically connected assortment of countries connected by international commerce and politics.
Check Point’s investigation of the latest Aria-body attack lists Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei as known targets. Within those targets, Naikon APT focused on hacking the systems of offices related to foreign affairs and science and technology. They also targeted government-owned companies.
According to Check Point, based on the target victims, “It is evident that the group’s purpose is to gather intelligence and spy on the countries whose Governments it has targeted.”
State-backed hackers
Hacking is an increasingly common tool of international conflict in the modern world.
Nations like Russia, Syria and North Korea are frequently discussed in relation to this field, which generally involves cyber espionage and debilitating attacks. But these conventional adversaries of the US are hardly the only countries to utilize hackers.
In the 2000s, the United States teamed up with Israel to develop the Stuxnet virus to undermine Iran’s attempts to develop nuclear weapons. The development of the virus, which was confirmed by officials in the Obama Administration in 2012, was known by the codename “Olympic Games.”
While the recently reported evidence doesn’t suggest Naikon APT targeted any US entities, the current COVID-19 pandemic has created a perfect storm for state-backed hacking activities.
Wired reported that Google’s Threat Analysis Group had found state-sponsored hacking campaigns had targeted employees in the US government. Google has determined there are at least 12 state-sponsored groups using the current pandemic to send phishing emails to plant malware on the computers of unsuspecting recipients.
The hacker groups that targeted US employees reportedly sent emails that appeared to be from fast-food chains providing updates on their coronavirus response. The emails included fake coupons for free meals or links to malicious sites that were used to collect personal data.
Google says most of the emails were caught by spam filters, but some managed to still get through. There is no indication that any US government accounts were compromised by these latest coronavirus-related attacks.
Have a tip or story? Get in touch with our reporters at [email protected]
Sign up for daily news briefs from The Millennial Source here!