In further evidence that China is consolidating its digital forces against the West, the hacker group Naikon has resurfaced in recent weeks, according to an investigation by cybersecurity analyst Cluster25.
The cyber espionage group, also known as Lotus Panda and thought to have originated in China in 2010, is believed to be focusing its attention on South-East Asian nations such as Thailand, Malaysia, and Singapore. Naikon rose to infamy in 2015 when its malware was discovered, leading to the arrest of one of its key members, according to Cluster25.
Following that the group was believed to have disbanded, but resurfaced again two years ago, when it was detected carrying out espionage activities against Australia and Asian nations including Indonesia and the Philippines.
Most recently, Naikon is thought to be spying on government institutions, including state-owned businesses, in nations across South-East Asia. Cluster25 believes the targeted organizations are predominantly involved in science, technology, and foreign affairs.
“By observing Naikon’s hacking arsenal, it was concluded that this group tends to conduct long-term intelligence and espionage operations, typical for a group that aims to conduct attacks on foreign governments and officials,” it said. “To avoid detection and maximize the result, it changed TTPs [tactics, techniques and procedures] and tools over time.”
These included spear-phishing emails sent in the past year to targeted organizations that deployed a shell code – a tool that can be used by malicious hackers to deliver a payload that then takes over a compromised computer.
While admitting it could not be absolutely certain of the intended victims of these attacks, Cluster25 claimed they were likely to be government institutions.
“The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country,” it said.
The email used as bait in the phishing campaign is written in Chinese and purports to be a legitimate reply to a call for tenders for – ironically, given its true nature – the procurement of protective firewall equipment.
Naikon also used open-source software tools Viper and Asset Reconnaissance Lighthouse (ARL) – both believed to have been developed by a Chinese programmer, given that their supporting documentation is written in Mandarin.
“Viper modularizes and weaponizes the tactics and technologies commonly used in the process of intranet penetration,” said Cluster25. “ARL is a tool to assist security teams or penetration testers [in] reconnaissance and retrieval of assets, discovering existing weak points and attack surfaces.”
The tools can be used respectively to generate payloads, and collect information about targets through a process called website fingerprinting.
More from Cybernews:
Subscribe to our newsletter