WA Premier targeted in China-linked cyber attack

By Dylan Bushell-Embling
Monday, 11 May, 2020

WA Premier targeted in China-linked cyber attack

WA Premier Mark McGowan has been confirmed as the target of a sophisticated cyber attack by foreign adversaries believed to be linked to the Chinese military.

The attack, conducted by a cyber espionage group known as Naikon APT, was first exposed by Check Point Research in a threat report on Thursday.

The report traced a malware attack unknowingly sent from an Australian Government embassy in Asia–Pacific to “an Australian state government” using the powerful Aria-body backdoor.

While the New York Times had originally reported that the attack targeted Prime Minster Scott Morrison, it has since been confirmed that the intended target was the WA Premier’s office.

McGowan told News.com.au that he has referred the matter to the director-general of the Department of Premier and Cabinet for investigation, but that he knows nothing about the attack beyond what has been reported.

Naikon-APT was originally exposed by Kaspersky Lab researchers in 2015 conducting attacks against top-level government agencies around the South China Sea. Since then no evidence of further activity by the group had been published.

But Check Point’s report states that the group has been engaged in a stealth espionage campaign since the original report was published, targeting governments including Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei.

The attack on the WA Government involved a malicious RTF file being sent from the embassy. This file was infected with an exploit loader that tries to download and execute the next stage payload from the attack.

Other attacks involved archive files that contain a legitimate executable and a malicious DLL as well as malicious executable files.

Once delivered onto a compromised system, the Aria-body backdoor takes additional steps including injecting itself into another process such as rundll21.exe or dllhost.exe, establishes communication with a command and control server, and finally delivers and decrypts a remote access trojan (RAT).

This RAT grants attackers the ability to create and delete files and directories, take screenshots, launch files, gather files’ metadata and collect OS information. Some variations also include capabilities such as USB data gathering, keylogging and loading extensions.

“In this campaign, we uncovered the latest iteration of what seems to be a long-running Chinese-based operation against various government entities in APAC,” Check Point said in its report.

“While the Naikon APT group has kept under the radar for the past 5 years, it appears that they have not been idle. In fact, quite the opposite. By utilizing new server infrastructure, ever-changing loader variants, in-memory fileless loading, as well as a new backdoor — the Naikon APT group was able to prevent analysts from tracing their activity back to them.”

In addition to the sophisticated methods Naikon APT has used to stay undetected for so long, another concerning aspect of the report is the use of compromised government networks in the attacks.

Besides the embassy unwittingly used to target the WA Government, the report notes that Check Point researchers uncovered evidence of a backup command and control server being hosted on an IP belonging to the Philippines Department of Science and Technology.

Image credit: ©stock.adobe.com/au/Brian Jackson

Related Articles

Study: Employee personal devices pose risk to corporate data

A Trend Micro survey has highlighted the risks posed by smart home devices to the corporate...

Aussie hackers targeting Facebook, Wi-Fi, says NordVPN

Research from NordVPN found that 43% of Australians looking to break into something were...

ACSC receives one cybercrime report every 10 min

The Australian Cyber Security Centre's inaugural Annual Threat Report for 2020 found that...

  • All content Copyright © 2020 Westwick-Farrow Pty Ltd