Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Naikon has modified a victim's Windows Run registry to establish persistence.[4] |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.[5] |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Naikon renamed a malicious service |
.005 | Masquerading: Match Legitimate Name or Location |
Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.[4] |
||
Enterprise | T1046 | Network Service Scanning |
Naikon has used the LadonGo scanner to scan target networks.[4] |
|
Enterprise | T1137 | .006 | Office Application Startup: Add-ins |
Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.[5] |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Naikon has used malicious e-mail attachments to deliver malware.[5] |
Enterprise | T1018 | Remote System Discovery |
Naikon has used a netbios scanner for remote machine identification.[4] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Naikon has used schtasks.exe for lateral movement in compromised networks.[4] |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Naikon uses commands such as |
Enterprise | T1016 | System Network Configuration Discovery |
Naikon uses commands such as |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
Naikon has convinced victims to open malicious attachments to execute malware.[5] |
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
Naikon has used administrator credentials for lateral movement in compromised networks.[4] |
Enterprise | T1047 | Windows Management Instrumentation |