According to the Israeli company, the advanced malware enables the hackers to take over servers, hijack communication channels, exfiltrate data and use the servers to attack other departments or governments without being detected. The nation-state actors are said to be using the weapon for a wide-ranging intelligence gathering operation primarily targeting Southeast Asian countries
Israeli cyber security company Check Point said on May 7 that hackers previously linked to the Chinese military are engaged in a long-term cyber espionage operation against governments in the Asia-Pacific region using an advanced weapon that has never been encountered before.
The advanced persistent threat group called Naikon has been involved in cyber espionage campaigns since at least 2010 but has been keeping a low profile since the publication of a 2015 report that linked it to a unit of the People's Liberation Army, Check Point said.
Naikon is said to be using a new type of malware named Aria-body capable of infiltrating government bodies, taking control of their systems, exfiltrating data and using the documents, contacts and data of those bodies to attack other departments or governments.
The hacker group is reportedly able to remotely alter the attack tool's code and pattern of movement after it infiltrates a system, making the malware very difficult to identify. Aria-body can also be instructed to target specific files on specific computers, the report said.
According to Check Point, Naikon has used the weapon against government ministries and state-owned companies in Australia, Thailand, the Philippines, Brunei, Vietnam, Myanmar and Indonesia. The group is said to have taken over ministerial servers and used them to gather intelligence.
Naikon's activity "includes not only locating and collecting specific documents from infected computers and networks within government departments, but also extracting data from removable drives, taking screenshots and keylogging, and of course harvesting the stolen data for espionage," Check Point said.
"And if that wasn’t enough, to evade detection when accessing remote servers through sensitive governmental networks, the group compromised and used servers within the infected ministries as command and control servers to collect, relay and route the stolen data."
The hacker group has been able to prevent analysts from tracing the operation back to them by utilizing new server infrastructure, continuously changing loader variants, in-memory fileless loading, and a new backdoor, according to the Israeli company.
