Advanced Persistent Threat “Naikon” Deploys New Malware

By Anthony Eich on April 29, 2021

Executive Summary

Well known Advanced Persistent Threat (APT) group “Naikon” has made headlines again recently for an attack that has been in the wild unnoticed for two years. The threat actor has been active since at least 2010, and they concentrate their activity in Southeast Asia targeting high level government entities, especially military organizations [1]. The group is a part of the People’s Liberation Army (PLA) Unit 78020 out of China. Naikon is also believed to go by several other handles such as Lotus Panda, Hellsing, and possibly have association, but not an exact match with, APT 30 a.k.a. Override Panda [6]. The skills of the group are prolific, they are well funded, and they have been successfully raiding organizations, obfuscating their intrusions, and residing on networks and systems for long periods of time without detection. This long-term attack model has allowed the PLA component to exfiltrate petabytes of data over the years. The most recent development from this unit is the use of a newly discovered malware: Nebulae. Cybersecurity agency, Bitdefender, was the first to release findings regarding the new weapon. Nebulae is a backdoor device, which means that when installed on a targeted system it allows attackers remote access to that system. Specifically, this backdoor was used as a secondary means of persistence, which had not been previously noted and points towards an evolution taking place within the activities of the nation state sponsored criminal organization [1].

Background

Naikon, an alias of the Chinese People’s Liberation Army’s Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020) has been an active threat for at least ten years focusing their activities on the Southeast Asia region [6]. Their targets are typically high-level government officials which they use spear phishing tactics on to deploy their malware. Once the malware is deployed, the attackers gain persistent access by installing hidden programs called backdoors which allow them to have remote access to those systems. Until now, the malwares that were known included a backdoor installer, RainyDay, which gave the attackers persistence on these systems [4]. Now, it has been discovered that a new malware backdoor, dubbed Nebulae, is a secondary backdoor which adds further strength to the persistence on the victim systems. Research has shown that this newly discovered backdoor may have been actively used for at least two years, with initial investigations pointing to origins in 2019 [2].

Impact

Naikon is known for maintaining a stealthy presence within networks and systems for long periods of time. One such case pointed to a five-year long campaign in which the APT was believed to have gone silent, when in actuality they have been maintaining persistence as well as promulgating their access throughout the government agencies of Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar, and Brunei [4]. Once within a network, the hackers are able to cover their presence and gain access to other servers and systems, and then use those systems to continue spreading throughout. While the attack spreads, the unit is able to search freely within the systems and exfiltrate email, contacts, data, secrets, and anything else of use that can help them continue to spread and infiltrate the government agencies. At this point, it is unknown just how deeply Naikon has been able to penetrate these government agencies, but it is likely that the spies have been able to dig themselves in at a level that is beyond what is currently known, leading cybersecurity experts to scramble to find ways to detect and disrupt the criminal activity.

Significance

Only time and further investigation will be able to show how much of an impact this activity has caused, and at this time no specific details have been released as to what sensitive information has been pilfered. However, it is clear that this Chinese hacker group is going to continue to be a problem, and cybersecurity agencies such as Bitdefender and others will need to figure out exactly how these attackers have been able to execute and maintain these attacks so prolifically. Naikon’s success must be worth the investment that the Chinese government has designated for the hacker group. Therefore, it is safe to assume that beyond emails, contacts, and other such data, they have been able to exfiltrate significant amounts of highly valuable information. We know that they target government agencies and military organizations in Southeast Asia. This means that they are most likely able to steal secrets related to advancements in military technologies. Another troubling aspect of this that lands closer to home is that many of the governments that have been targeted are known to have received U.S. arms exports. This could point to a consistency in other Chinese grown APT organizations that have an ultimate target: The United States. The indications are clear that whomever Naikon and the Chinese government are targeting, the intent is to burrow deep, remain incognito, and sustain an ongoing campaign intent on leveling the cyberwarfare battlefield, and ultimately, the traditional battlefield as well.

References

[1] Fisher, Dennis. 2021. “NAIKON APT DEPLOYS NEW NEBULAE BACKDOOR.” duo.com. 04 28. Accessed 04 29, 2021. https://duo.com/decipher/naikon-apt-deploys-new-nebulae-backdoor.

[2] Paganini, Pierluigi. 2021. “Naikon APT group uses new Nebulae backdoor in attacks aimed at military orgs.” securityaffairs.co. 4 28. Accessed 04 29, 2021. https://securityaffairs.co/wordpress/117321/apt/naikon-apt-nebulae-backdoor.html.

[3] Barbaschow, Asha. 2020. “Chinese APT group Naikon targeted Western Australia government.” www.zdnet.com. 5 8. Accessed 4 29, 2021. https://www.zdnet.com/article/chinese-apt-group-naikon-targeted-western-australia-government/.

[4] O’Donnell, Lindsey. 2020. “Naikon APT Hid Five-Year Espionage Attack Under Radar.” threatpost.com. 5 7. Accessed 4 29, 2021. https://threatpost.com/naikon-apt-five-year-espionage-attack/155492/.

[5]. n.d. “APT group: Naikon, Lotus Panda.” apt.thaicert.or.th. Accessed 4 29, 2021. https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Naikon%2C%20Lotus%20Panda.

[6]. 2020. “Naikon.” ATT&CK. 7 3. Accessed 4 29, 2021. https://attack.mitre.org/groups/G0019/.