US, WASHINGTON (ORDO NEWS) — Among the countries that were tracked by hackers were the countries of the Asia-Pacific region: Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei.
After gaining access to confidential information of one of the government bodies, fraudsters used it to carry out subsequent phishing attacks on other government organizations.
The Chinese ART group most actively carried out its attacks between 2019 and Q1 2020.
The Israeli cybersecurity company Check Point Software Technologies has revealed the activities of scammers who have attacked government agencies in Asia and the Pacific for a long time to gain access to confidential information.
Researchers uncovered the activities of the Chinese group, which for five years engaged in cyber espionage for the governments of the countries of the Asia-Pacific region. Political intelligence cases were first mentioned in 2015, when a group of hackers called Naikon launched a series of attacks on government agencies and related organizations in the South China Sea.
Since 2015, there have been no reports of the group’s activities, but, according to Check Point, the group has not only been active for the past five years, but has also been active in its activities from 2019 to Q1 2020.
Fraudsters gained access to the data of a certain government body and used this information to carry out attacks on other government bodies. And thanks to trustful diplomatic relations between departments and government organizations, the chances of the success of such operations increased.
When investigating the incident, Check Point researchers analyzed an example of a phishing letter with an infected file that was sent to an Australian government agency on behalf of the embassy of one of the Asia-Pacific countries.
The file contained an exploit that, when opened, penetrated the user’s computer and downloaded the malicious backdoor program, Aria-body. This program allowed fraudsters to access an infected computer or network from external web servers, bypassing security measures.
Further investigation revealed other similar attack chains used to deliver the Aria-body backdoor. All Naikon attacks included three main steps.
Falsified official government document. Fraudsters created an email with a document that contained important information for a potential victim, and sent it. This information could be taken both from open sources and from confidential sources of a previously compromised system.
Infection of documents with malware for further penetration into the systems necessary for cybercriminals. Hackers infected documents from letters with a malware-loader that automatically installed the Aria-body backdoor. Thanks to this, attackers gained access to the victim’s networks.
Using compromised organization servers for further attacks. To avoid detection, Naikon hackers used the infrastructure and servers of their victims to spread new attacks to other government organizations. This helped them avoid detection. In one of the incidents investigated, the researchers found that the server used for the attacks belonged to the Philippine Government’s department of science and technology.
Naikon attacked countries in the same geographic region — the Asia-Pacific region, including Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar, and Brunei. Fraudsters targeted ministries of foreign affairs, science and technology, as well as state-owned companies. The alleged motive of the attackers is geopolitical intelligence.
Contact us: [email protected]