Tracking Down Geo-Political Intelligence Across APAC, One Nation at a Time
Our recent report, “The Chronicles of the Hellsing APT: the Empire Strikes Back” began with an introduction to the Naikon APT, describing it as “One of the most active APTs in Asia, especially around the South China Sea”. Naikon was mentioned because of its role in what turned out to be a unique and surprising story about payback. It was a Naikon attack on a Hellsing-related organization that first introduced us to the Hellsing APT. Considering the volume of Naikon activity observed and its relentless, repeated attack attempts, such a confrontation was worth looking into, so we did.
The #NaikonAPT group was spear-phished by an actor we now call “Hellsing”Tweet
The Naikon APT aligns with the actor our colleagues at FireEye recently revealed to be APT30, but we haven’t discovered any exact matches. It is hardly surprising that there is an element of overlap, considering both actors have for years mined victims in the South China Sea area, apparently in search of geo-political intelligence.
The #NaikonAPT group has for 5 years mined victims, apparently in search of geo-political intelligenceTweet
This Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the incredible volume of attack activity around the South China Sea that has been going on since at least 2010.
Noteworthy operational and logistical characteristics of this APT include:
- At least five years of high volume, high profile, geo-political attack activity
- Geographical focus – per-country, individual operator assignment and proxy presence
- Dynamic, well organized infrastructure
- Reliance on an externally developed, consistent set of tools comprising a full-featured backdoor, a builder, and an exploit builder
- High success rate in infiltrating national organisations in ASEAN countries
Highly Focused and Effective Around the South China Sea
In the spring of 2014, we noticed an increase in the volume of attack activity by the Naikon APT. The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.
An attack typically starts with an email carrying an attachment that contains information of interest to the potential victim. The document may be based on information from open sources or on proprietary information stolen from other compromised systems.
This bait “document”, or email attachment, appears to be a standard Word document, but is in fact an CVE-2012-0158 exploit, an executable with a double extension, or an executable with an RTLO filename, so it can execute code without the user’s knowledge or consent. When the executable is launched, spyware is installed on the victim computer at the same time as a decoy document is displayed to the user; fooling them into thinking they have simply opened a document.
The Naikon tool of choice generates a special, small, encrypted file which is 8,000 bytes in size, containing code to be injected into the browser along with configuration data. With the help of a start-up module, this whole file is injected into the browser memory and decrypts the configuration block containing the following:
- C&C server
- Ports and path to the server
- User-agent string
- Filenames and paths to its components
- Hash sums of the user API functions
The same code then downloads its main body from the C&C server using the SSL protocol, loads it independently from the operating system functions and, without saving it to the hard drive, hands over control to the XS02 function. All functionality is handled in memory.
The main module is a remote administration utility. Using SSL, the module establishes a reverse connection to the C&C server as follows: it sets up an outgoing connection to the C&C server and checks if there is a command that it should execute. If there is, it executes the command and returns the result to the C&C. There are 48 commands in the module’s repertoire, which a remote operator can use to effectively control the victim computer. This includes taking a complete inventory, downloading and uploading data, installing add-on modules, or working with the command line.
The main module supports 48 commands, which the attackers can use to control the victim machine #NaikonAPTTweet
Here is the complete list of commands:
Several modifications of the main module exist. There are no fundamental differences between modifications; it’s just that extra features get added to the latest versions, such as compression and encryption of transmitted data, or the piecemeal download of large files.
|d085ba82824c1e61e93e113a705b8e9a||118272||Aug 23 18:46:57 2012|
|b4a8dc9eb26e727eafb6c8477963829c||140800||May 20 11:56:38 2013|
|172fd9cce78de38d8cbcad605e3d6675||118784||Jun 13 12:14:40 2013|
|d74a7e7a4de0da503472f1f051b68745||190464||Aug 19 05:30:12 2013|
|93e84075bef7a11832d9c5aa70135dc6||154624||Jan 07 04:39:43 2014|
C&C server operations are characterized by the following:
- Low maintenance requirements
- Organized geo-specific task assignments
- Different approaches to communication
The C&C servers must have required only a few operators to manage the entire network. Each operator appears to have focused on their own particular set of targets, because a correlation exists between C&C and the location of targets/victims.
There is a geo-specific correlation between the location of #NaikonAPT C&Cs and that of targets/victimsTweet
Communication with victim systems changed depending on the target involved. In some cases, a direct connection was established between the victim computer and the C&C. In other cases, the connection was established via dedicated proxy servers installed on dedicated servers rented in third countries. In all likelihood, this additional setup was a reaction to the network administrators in some targets limiting or monitoring outbound network connections from their organizations.
Here is a partial list of C&C servers and victim locations, demonstrating the geo-specific correlation:
XSControl – the Naikon APT’s “victim management software”
In the Naikon scheme, a C&C server can be specialized XSControl software running on the host machine. It can be used to manage an entire network of infected clients. In some cases, a proxy is used to tunnel victim traffic to the XSControl server. A Naikon proxy server is a dedicated server that accepts incoming connections from victim computers and redirects them to the operator’s C&C. An individual Naikon proxy server can be set up in any target country with traffic tunnelling from victim systems to the related C&C servers
XSControl is written in .NET with the use of DevExpress:
Its main capabilities are:
- Accept initial connections from clients
- Provide clients with the main remote administration module
- Enable them to remotely administer infected computers with the help of a GUI
- Keep logs of client activity
- Keep logs of operator activity
- Upload logs and files to an FTP server
The operator’s activity logs contain the following:
- An XML database of downloaded files, specifying the time of operation, the remote path and the local path
- A database of file names, the victim computer registry keys for the folders and requested sections
- A history of executed commands
Country X, Operator X
Now let’s do an overview of one Naikon campaign, focusing on country “X”.
Analysis revealed that the cyber-espionage campaign against country X had been going on for many years. Computers infected with the remote control modules provided attackers with access to employees’ corporate email and internal resources, and access to personal and corporate email content hosted on external services.
Below is a partial list of organizations affected by Naikon’s “operator X’s” espionage campaign in country X.
- Office of the President
- Military Forces
- Office of the Cabinet Secretary
- National Security Council
- Office of the Solicitor General
- Intelligence Services
- Civil Aviation Authority
- Department of Justice
- Federal Police
- Executive/Presidential Administration and Management Staff
A few of these organizations were key targets and under continuous, real-time monitoring. It was during operator X’s network monitoring that the attackers placed Naikon proxies within the countries’ borders, to cloak and support real-time outbound connections and data exfiltration from high-profile victim organizations.
In order to obtain employees’ credentials, operator X sometimes used keyloggers. If necessary, operator X delivered them via the remote control client. In addition to stealing keystrokes, this attacker also intercepted network traffic. Lateral movements included copying over and remotely setting up winpcap across desktop systems within sensitive office networks, then remotely setting up AT jobs to run these network sniffers. Some APTs like Naikon distribute tools such as these across multiple systems in order to regain control if it is lost accidentally and to maintain persistence.
The #NaikonAPT group took advantage of cultural idiosyncrasies in its target countriesTweet
Operator X also took advantage of cultural idiosyncrasies in its target countries, for example, the regular and widely accepted use of personal Gmail accounts for work. So it was not difficult for the Naikon APT to register similar-looking email addresses and to spear-phish targets with attachments, links to sites serving malware, and links to google drive.
The empire strikes back
Every once in a while the Naikon group clashes with other APT groups that are also active in the region. In particular, we noticed that the Naikon group was spear-phished by an actor we now call “Hellsing”. More details about the cloak and dagger games between Naikon and Hellsing can be found in our blogpost: “The Chronicles of the Hellsing APT: The Empire Strikes Back“.
Read more about how you can protect your company against the Naikon threat actor here