According to Kaspersky, governments in Southeast Asian have been victims of the Naikon threat actor for the last five years. This includes having many top level government agencies like the office of the President, department of civil aviation, military institutions and police infiltrated by data mining malware.
The attackers are apparently Chinese speaking individuals who have increased their volume of attacks since 2014. These attackers take advantage of local habits in the different target countries, and have been tailoring their approach to their intended victims. One of the more popular methods would be targeting countries where government servants use their personal gmail accounts for work.
Naikon APT typically starts with a baited document that claims to have information relevant to the interests of the target. Again, this bait varies according to country; which indicates a large network of operatives familiar with the local environment of their targets. Once the document is opened, the displays a decoy while installing its own spyware code.
The spyware itself has multiple Command and Control servers, some that are located within the the target countries themselves. Communication between the C&C servers and victim systems also differs according to the target, with some taking on direct connections and others being routed through proxy servers first. Kaspersky has provided a partial list of the location of the some of these C&C servers, including six located in Malaysia.
Kaspersky has not identified the culprits being this threat, but it has noted that the actions of Naikon APT has interfered with the operations of a separate cyberespionage campaign known as Hellsing. The group behind Hellsing took revenge on Naikon for the attack, which ended up exposing both threats to the world.
According to the victim map provided by Kaspersky, Malaysia is one of the hardest hit countries by Naikon with between 5 – 18 detections in government institutions. It has not said which departments have been affected, but there is a possibility that someone has been spying on our military capabilities for the last five years.
