A state-backed Chinese hacking group called APT41 were able to hack into telecommunications firms’ servers and steal the contents of text messages for intelligence that was of interest to Beijing, according to a new report from cybersecurity firm FireEye.
Bill Hinton Photography | Moment Open | Getty Images
A China-based hacking group has been quietly carrying out a five-year cyber espionage campaign against Asia-Pacific governments after it previously “slipped off the radar,” a new report claims.
The group, known as Naikon, has targeted nations including Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar and Brunei, according to Israeli cybersecurity firm Check Point.
Naikon targets ministries of foreign affairs, science and technology, as well as government-owned companies with the aim of “gathering of geo-political intelligence,” Check Point said.
Security researchers first found out about the Naikon group in 2015. However, Check Point said it had “slipped off the radar, with no new evidence or reports of activities found” until now. The hacking group had actually been active for the past five years but “accelerated its cyber espionage activities in 2019 and Q1 2020.”
The cybersecurity firm did not say if Naikon is linked to the Chinese government. But a separate report in 2015, by a Washington-based security company called ThreatConnect, claimed the group was a unit of the Chinese People’s Liberation Army (PLA).
China’s Ministry of Foreign Affairs was not immediately available for comment when contacted by CNBC.
According to the report, Naikon attempts to infiltrate a government body and use the stolen information it acquires there — such as contacts and documents — to attack other departments within that country’s government.
Check Point said it was alerted when it found an email with a document attached that contained malicious software, also known as malware.
When the document is opened, it infiltrates a user’s computer and attempts to download another piece of malware called “Aria-body.” This gives the hackers remote access to that computer or network, and bypasses security measures, Check Point said.
The group uses so-called spear-phishing, where it sends an email with the infected document that looks like it comes from a trusted source, in this case, another government official. They’re able to get information to create the fake email from previous successful attacks or public data.
Once they’re inside a network, they can launch further attacks without detection.
“What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor,” Lotem Finkelsteen, manager of threat intelligence at Check Point, said in a statement.