Naikon | |
Other Names | BRONZE GENEVA |
Location | China |
Date of initial activity | 2010 |
Suspected Attribution | Cybercriminals |
Motivation | Cyberwarfare |
Associated Tools | Naikon Implant PlugX Poison Ivy Sogu (Sogu RAT) Royal Road |
Software | Windows |
Overview
Naikon is a formidable and persistent threat actor with a notable focus on high-profile government and military targets. Operating primarily in the Asia-Pacific region, Naikon has been active since at least 2010, leveraging sophisticated cyber espionage techniques to infiltrate and gather intelligence from key institutions. This Chinese-speaking threat group has established a reputation for its meticulous and strategic targeting of top-level government agencies and civil and military organizations, particularly those situated around the South China Sea.
Naikon’s activities have affected a broad range of countries, including the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos, and China. Despite the group’s primary focus on high-value targets, there is a potential risk to ordinary consumers, particularly if they are connected to individuals of interest or if their systems are exposed to similar malware.
Common Targets
- Public Administration
- Philippines
- Malaysia
- Cambodia
- Indonesia
- Vietnam
- Myanmar
- Singapore
- Nepal
- Thailand
- Laos
- China
Attack vectors
Phishing
Software Vulnerabilities
Associated Tools
Naikon Implant: A bespoke piece of malware tailored for espionage operations, often used for maintaining access and exfiltrating data.
PlugX: A versatile remote access tool that allows the threat actor to control infected systems and exfiltrate data.
Poison Ivy: Another remote access Trojan (RAT) used for remote control of compromised systems and data extraction.
Sogu (Sogu RAT): A remote access tool used by Naikon for spying and maintaining persistent access to compromised systems.
Royal Road: A framework used for exploiting vulnerabilities and delivering malware.
How they work
Naikon’s attack strategies revolve predominantly around spear-phishing, a technique that capitalizes on human factors to gain initial access to target systems. The group’s approach often involves crafting highly targeted emails that appear to be from legitimate sources but contain malicious attachments. These attachments, often disguised as benign documents, are embedded with executable payloads designed to exploit vulnerabilities and install malware on the victim’s system. This method of initial compromise is both effective and insidious, as it leverages social engineering to bypass traditional security measures.
Once access is established, Naikon employs a range of tools and techniques to maintain control and extract valuable information. Key among these tools are remote access Trojans (RATs) such as PlugX and Poison Ivy. These RATs enable the group to remotely control infected systems, conduct surveillance, and gather intelligence. Communication between the compromised systems and Naikon’s command and control servers often utilizes standard protocols like HTTP and HTTPS, as well as custom methods to evade detection and maintain a persistent presence within the network.
The group’s exfiltration tactics are equally sophisticated. Data exfiltration often occurs over the same command and control channels used for communication, minimizing the risk of detection. Additionally, Naikon may stage collected data on compromised systems before sending it to their servers, further obscuring their activities and making it more challenging for defenders to identify and mitigate the breach. To ensure continued access, Naikon employs techniques such as creating scheduled tasks, which allow the group to execute malicious payloads at specified intervals and maintain a foothold within the target environment.
In summary, Naikon’s operations are a prime example of the intricate and multi-faceted nature of modern APT attacks. By leveraging spear-phishing for initial access, employing sophisticated RATs for control, and using advanced exfiltration methods, Naikon underscores the need for robust cybersecurity practices. Organizations at risk of Naikon’s targeting should adopt stringent security measures, including advanced anti-malware solutions, cautious handling of email attachments, and regular system updates, to protect against these sophisticated threats.
MITRE Tactics and Techniques
Phishing (T1566): Naikon commonly uses spear-phishing emails with malicious attachments or links to gain initial access to targeted systems.
Spearphishing Attachment (T1566.001): They often use weaponized attachments, such as documents with embedded malware, to exploit vulnerabilities and gain access.
Command and Control (C2) (T1071): Naikon uses various protocols and methods to communicate with compromised systems, including HTTP, HTTPS, and custom protocols.
Remote Access Tools (RATs) (T1219): Tools like PlugX and Poison Ivy allow Naikon to remotely control and monitor infected systems.
Exfiltration Over Command and Control Channel (T1041): Data is often exfiltrated from compromised systems through the same channels used for command and control.
Data Staged (T1074): Naikon may stage collected data on compromised systems before exfiltration.
Scheduled Task/Job (T1053): The threat actor might create scheduled tasks to maintain persistence or execute malicious payloads at specific times.