Kaspersky Lab: With actions ranging from the creation of intelligence infrastructure within a country for real-time connections and actions date mining, reaching as far as the creation of 48-command espionage tools, the threatening carrier Naikon has managed to successfully infiltrate national organizations of countries in the South China Sea region, within the last five years, according to its research. Kaspersky Lab.
The company's experts Kaspersky Lab discovered that the Naikon group attackers appear to be of Chinese origin and that their primary targets are top government organizations as well as political and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.
Kaspersky Lab identified the following features in Naikon's businesses:
- At least five years of aggressive activity with geopolitical goals, which was manifested in high intensity and against major organisms
- Each target country has a predefined administrator who exploits data from the local culture, such as the trend of using personal accounts for the job.
- The placement of infrastructures (a proxy server) within the country's borders to provide day-to-day support for real-time connections and data mining.
- Use of code that was not affected by specific platforms and the ability to monitor and intercept across the network as a whole.
- 48 commands in the remote management repertoire, including commands for full inventory, data capture and upload, installation of add-on functions, or work at the command line.
The threatening Naikon digital espionage organization was first reported by Kaspersky Lab in a recent report, titled "The Chronicles of Hellsing APT: Empire Attacks", where the agency played a key role in a unique story of counterattack and revenge in the world of APT threats (Advanced Persistent Threats). Team Hellsing is another threat entity, who decided to take revenge when attacked by Team Naikon.
"The criminals behind Naikon's attacks have managed to devise a very flexible infrastructure that can be set up in each target country, by being able to channel information from victim-systems to the administration center. With this infrastructure, if the attackers decided to chase another target in another country, they could simply create a new connection. Also, the group activity Naikon was also facilitated by the existence of managers who were committed to their specific set of objectives, said Kurt Baumgartner, Principal Security Research at Kaspersky Lab's Worldwide Research and Analysis Group.
Naikon's goals are attacked by traditional spear-phishing techniques by email that carry attachments that are designed to match the interests of the potential victim. Attachments might look like a Word document, for example, but they were actually executable files with double extension.
Kaspersky Lab urges organizations to protect themselves from the Naikon espionage campaign, following some basic guidelines:
- Do not open attachments and links from senders who do not know
- Use an advanced anti-malware solution
- If in doubt about an attached file, it's best to open it in an environment sandbox
- Make sure they are up to date operating system, with all necessary patches installed
Kaspersky Lab solutions protect users from this threat by detecting it with the “Automatic Feat Prevention”. Η απειλή έχει καταχωρηθεί με τις κωδικές ονομασίες “Exploit.MSWord.CVE-2012-0158”, “Exploit.MSWord.Agent”, “Backdoor.Win32.MsnMM”, “Trojan.Win32.Agent”και“Backdoor.Win32.Agent”.
More information about Naikon is available on the site Securelist.com.