MALACAÑANG, the military, the country’s intelligence agency as well as the Justice department were among the critical government offices that have allegedly been infiltrated by a cyber espionage group, a report posted on the website of an international software security firm claimed.
Kaspersky Lab, a Moscow-based firm that operates in almost 200 countries, said the group identified as Naikon has been targeting government websites and servers in the Philippines along with neighboring countries such as Vietnam, Indonesia, Malaysia, Thailand, Cambodia, Myanmar, Singapore, Laos, Nepal and even China.
An infographic illustrating the extent of the cyber attack listed the Office of the President, the Office of the Cabinet Secretary, the National Security Council, the National Intelligence Coordinating Agency, the Office of the Solicitor General, the Department of Justice and the Civil Aviation Authority of the Philippines as among the “top level” agencies “affected by Naikon in country X.”
While it did not specifically identify the Philippines, the names of the targets bore similarities to the names of the country’s national government agencies.
“Analysis revealed that the cyber espionage campaign against country X had been going on for many years. Computers infected with the remote control modules provided attackers with access to employees’ corporate email and internal resources, and access to personal and corporate email content hosted on external services,” Kurt Baumgartner, principal security researcher of Kaspersky Lab, said in an article titled “The Naikon APT: Tracking Down Geo-Political Intelligence Across APAC, One Nation at a Time.”
Kaspersky Lab said the objective of the attack was to gather “geopolitical intelligence” from countries “around the South China Sea.”
The experts noted that the wave of attacks started in the second quarter of 2014 or around the time when a Chinese Coast Guard ship attempted to intercept a Philippine-flagged boat that was sent to deliver supplies to Filipino Marines stationed on board the BRP Sierra Madre, which serves as the country’s garrison in the Ayungin Shoal.
The report said the attackers “appeared to be Chinese-speaking.”
“Naikon’s targets are hit using traditional spear-phishing techniques, with e-mails carrying attachments designed to be of interest to the potential victim. This attachment might look like a Word document, but is in fact an executable file with a double extension,” the report said.
“The criminals behind the Naikon attacks managed to devise a very flexible infrastructure that can be set up in any target country, with information tunneling from victim systems to the command center. If the attackers then decide to hunt down another target in another country, they could simply set up a new connection. Having dedicated operators focused on their own particular set of targets also makes things easy for the Naikon espionage group,” said Kurt Baumgartner, Principal Security Researcher, the GreAT team, Kaspersky Lab.
In Baumgartner’s piece, which he co-wrote with “expert” Maxim Golovkin, he explained the technicalities of the attack.
“An attack typically starts with an email carrying an attachment that contains information of interest to the potential victim. The document may be based on information from open sources or on proprietary information stolen from other compromised systems.
“This bait “document,” or email attachment, appears to be a standard Word document, but is in fact an CVE-2012-0158 exploit, an executable with a double extension, or an executable with an RTLO filename, so it can execute code without the user’s knowledge or consent. When the executable is launched, spyware is installed on the victim computer at the same time as a decoy document is displayed to the user; fooling them into thinking they have simply opened a document.”
They said the targeted government agencies have since become under continuous, real-time monitoring.
“It was during operator X’s network monitoring that the attackers placed Naikon proxies within the countries’ borders, to cloak and support real-time outbound connections and data exfiltration from high-profile victim organizations.”
The Naikon group also took advantage of cultural idiosyncrasies in its target countries, the Kaspersky Lab experts said.
They said it was not difficult for Naikon hackers to infiltrate their targets as the targeted agencies appear to allow “the regular and widely accepted use of personal Gmail accounts for work.”
“So it was not difficult for Naikon to register similar-looking email addresses and to spear-phish targets with attachments, links to sites serving malware, and links to Google drive,” the experts added.
Kaspersky Lab has identified the following hallmarks of Naikon operations:
• Each target country has a designated human operator, whose job it is to take advantage of cultural aspects of the country, such as a tendency to use personal email accounts for work;
• The placing of infrastructure (a proxy server) within the country’s borders to provide daily support for real-time connections and data exfiltration;
• At least five years of high volume, high profile, geo-political attack activity;
• Platform-independent code, and the ability to intercept the entire network traffic;
• 48 commands in the repertoire of the remote administration utility, including commands for taking a complete inventory, downloading and uploading data, installing add-on modules, or working with the command line.
Kaspersky Lab gave website and network administrators the following tips on how to protect themselves against Naikon attacks:
• Don’t open attachments and links from people you don’t know;
• Use an advanced anti-malware solution;
• If you are unsure about the attachment, try to open it in a sandbox;
• Make sure you have an up-to-date version of your operating system with all patches installed.
“The Naikon cyber espionage threat actor was first mentioned by Kaspersky Lab in its recent report, ‘The Chronicles of the Hellsing APT: The Empire Strikes Back’ where the actor played a pivotal role in what turned out to be a unique story about payback in the world of advanced persistent threats. Hellsing is another threat actor who decided to take revenge when hit by Naikon.”