Kaspersky Lab: With actions ranging from the creation of intelligence infrastructure within a country for real-time connections and actions date mining, reaching as far as the creation of 48-command espionage tools, the threatening carrier Naikon has managed to successfully infiltrate national organizations of countries in the South China Sea region, within the last five years, according to its research. Kaspersky Lab.
The company's experts Kaspersky Lab discovered that her attackers teams Naikon appear to be of Chinese origin and that their primary targets are top government agencies, as well as political and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal , Thailand, Laos and China.
Kaspersky Lab identified the following features in Naikon's businesses:
- At least five years of aggressive activity with geopolitical goals, which was manifested in high intensity and against major organisms
- Each target country has a predefined administrator who exploits data from the local culture, such as the trend of using personal accounts for the job.
- The placement of infrastructure (a proxy server) within the borders of the country in order to provide daily supports for real-time connections and data exfiltration.
- Use of code that was not affected by specific platforms and the ability to monitor and intercept across the network as a whole.
- 48 commands in the remote management program's repertoire, including commands for full inventory, download and Mission data, installing add-on features or working on line of commands.
The threatening Naikon digital espionage organization was first reported by Kaspersky Lab in a recent report, titled "The Chronicles of Hellsing APT: Empire Attacks", where the player played a key role in a unique story of counter-attack and revenge in the world of Advanced Persistent Threats (APT). The Hellsing team is another threatening player who decided to avenge an attack on the Naikon team.
"The criminals behind the Naikon attacks have managed to devise a very flexible infrastructure that can be set up in any target country, managing to funnel information from victim systems to the centre administration. With this infrastructure, if attackers decided to go after another target in another country, they could simply create a new connection. Also, group activity Naikon was also facilitated by the existence of managers who were committed to their specific set of objectives, said Kurt Baumgartner, Principal Security Research at Kaspersky Lab's Worldwide Research and Analysis Group.
Naikon's goals are attacked by traditional spear-phishing techniques by email that carry attachments that are designed to match the interests of the potential victim. Attachments might look like a Word document, for example, but they were actually executable files with double extension.
Kaspersky Lab urges organizations to protect themselves from the Naikon espionage campaign, following some basic guidelines:
- Do not open attachments and links from senders who do not know
- Use an advanced anti-malware solution
- If there are any doubts about an attachment file, it's better to open it in a sandbox environment
- Make sure they have an upgraded operating system with all the necessary patches installed
Kaspersky Lab solutions protect users from this threat by identifying it with the "Automatic Exploit Prevention" feature. The threat is listed under the code names "Exploit.MSWord.CVE-2012-0158", "Exploit.MSWord.Agent", "Backdoor.Win32.MsnMM", "Trojan.Win32.Agent" and "Backdoor.Win32.Agent ".
More information about Naikon is available on the site Securelist.com.
