On the morning of Jan. 3, an email was sent from the Indonesian Embassy in Australia to a member of the premier of Western Australia’s staff who worked on health and ecological issues. Attached was a Word document that aroused no immediate suspicions, since the intended recipient knew the supposed sender.
The attachment contained an invisible cyberattack tool called Aria-body, which had never been detected before and had alarming new capabilities. Hackers who used it to remotely take over a computer could copy, delete or create files and carry out extensive searches of the device’s data, and the tool had new ways of covering its tracks to avoid detection.
Now a cybersecurity company in Israel has identified Aria-body as a weapon wielded by a group of hackers, called Naikon, that has previously been traced to the Chinese military. And it was used against far more targets than the office of Mark McGowan, the premier of Western Australia, according to the company, Check Point Software Technologies, which released a report Thursday about the tool.
In the preceding months, Naikon had also used it to hack government agencies and state-owned technology companies in Indonesia, the Philippines, Vietnam, Myanmar and Brunei, according to Check Point, which said the attacks underscored the breadth and sophistication of China’s use of cyberespionage against its neighbors.
“The Naikon group has been running a long-standing operation, during which it has updated its new cyberweapon time and time again, built an extensive offensive infrastructure and worked to penetrate many governments across Asia and the Pacific,” said Lotem Finkelstein, head of the cyberthreat intelligence group at Check Point.
What made these attacks so alarming, according to Check Point and other experts on Chinese cyberespionage, was the intrusive capabilities of Aria-body, the group’s new tool.
Aria-body could penetrate any computer used to open the file in which it was embedded and quickly make the computer obey the hackers’ instructions. That could include setting up a secret, hard-to-detect line of communication by which data on the targeted computer would flow to servers used by the attackers.
It could also replicate typing being done by the target user, meaning that had the Australia attack not been detected, the tool would have allowed whoever controlled it to see what a staff member was writing in the premier’s office in real time.
The Australian government, which has been engaged in a contentious internal debate over concerns about Chinese interference, did not immediately respond to questions about the report.
“We know that China is probably the single biggest source of cyberespionage coming into Australia by a very long way,” said Peter Jennings, a former Australian defense official who is executive director of the Australian Strategic Policy Institute.
Faced with such criticism in recent years, Beijing has maintained that it is opposed to cyberattacks of any kind and that the Chinese government and military do not engage in hacking for the theft of trade secrets.
China’s cyberespionage efforts have shown no sign of relenting globally and may be intensifying as tensions with Australia, the United States and other countries have risen over trade, technology and, more recently, disputes over the coronavirus pandemic. Experts say its aim is to steal vast amounts of data from foreign governments and companies.
“This may be different in design, but these attacks all have the same purpose,” said Matthew Brazil, an American former diplomat and author of a new book on Chinese espionage, referring to Aria-body.
According to Check Point, the hacker using Aria-body was able to take over the computer used by an Indonesian diplomat at the embassy in Canberra, the Australian capital. The hacker found a document that the diplomat was working on, completed it and then sent it to the staff member in the Western Australian premier’s office, armed with the Aria-body tool.
It was discovered only because of a simple human error.
The hacker sending the email dispatched it to the wrong address. When the server in the premier’s office returned it with a note saying the email address had not been found, the transmission aroused suspicion that something in the original message was fishy, the authors of Check Point’s report wrote. That prompted the investigation that revealed the attempted attack — and its novel weapon.
Naikon was previously investigated by a U.S. cybersecurity company, ThreatConnect, which in 2015 published a wide-ranging report on the group’s connection to the People’s Liberation Army.
The hacking group appeared to operate as part of the military’s Second Technical Reconnaissance Bureau, Unit 78020, based mainly in the southern city of Kunming, according to ThreatConnect. It is said to be responsible for China’s cyberoperations and technological espionage in Southeast Asia and the South China Sea, where Beijing is embroiled in territorial disputes with its neighbors.
A report by the Kaspersky Lab, a Russian cybersecurity company, called the group one of Asia’s most active “advanced persistent threats,” a term that security experts often use to describe state-backed hackers who run long-term campaigns of intrusion.
After the 2015 report disclosed Naikon’s main cyberweapons, the group seemed to disappear. Brazil, the former diplomat, noted that China had since reorganized its cyberespionage forces, shifting some from the People’s Liberation Army to the Ministry of State Security, effectively dividing their duties between military intelligence and diplomatic and economic espionage.
Check Point’s report suggests that Naikon may have remained active, though it is not clear whether it has shifted out of the military chain of command.
Since early 2019, according to the Check Point report, the group has accelerated efforts to expand its online infrastructure. The hacking group has purchased server space from Alibaba, the Chinese technology company, and registered domain names on GoDaddy, a U.S. web-hosting firm.
In one case, Naikon commandeered a server of the Philippines’ Department of Science and Technology and used it to help disguise the origin of a Naikon attack by making it seem as if it came from that server.
The group would intrude into computers by hiding Aria-body in Microsoft Word documents and files that install Microsoft Office programs. What made it difficult to discover was its ability to conceal itself much more effectively than other such tools.
Aria-body could attach itself as a parasite to various types of files so that it did not have a set pattern of movement. Its operators could change part of its code remotely so that after attacking one computer, Aria-body would look different when it breached the next one. Such patterns are often telltale signs for security investigators.
“People sometimes fail to see the industrial-strength capacity that China has to do this on a global scale,” said Jennings, the Australian former defense official. “We’re talking about tens of thousands of people who are operating in their signals intelligence unit and Ministry of State Security. China has both the capacity and a long-demonstrated intent to do this wherever it thinks it can extract useful information.”
Check Point did not disclose all of the targets it said Naikon had infiltrated but said they included embassies, ministries and state-owned corporations dealing with science and technology.
“Throughout our research we found that the group adjusted its signature weapon to search for specific files by names within the compromised ministries,” said Finkelstein, the Check Point expert. “This fact alone strengthens the understanding that there was a significant, well-thought infrastructure and preoperation intelligence collection.”