← threatfilter.dev / all groups / Naikon
Naikon
Overview
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN). While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.
Targets
Government · Private sector
Regions
Cambodia · China · India · Indonesia · Laos · Malaysia · Myanmar · Philippines · Saudi Arabia · Singapore · South Korea · Thailand · United States · Vietnam
Capabilities
- Custom malware/implant development — ATT&CK: 8 attributed custom malware families
TTPs — 14 techniques across 5 tactics
Initial Access
-
T1566.001Spearphishing Attachment
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1204.002Malicious File
Persistence
-
T1137.006Add-ins -
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1036.004Masquerade Task or Service -
T1036.005Match Legitimate Resource Name or Location -
T1078.002Domain Accounts -
T1574.001DLL
Discovery
-
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1046Network Service Discovery -
T1518.001Security Software Discovery
Tools & malware (15)
ftp · Net · Ping · netsh · WinMM · Systeminfo · RainyDay · Nebulae · RARSTONE · HDoor · Sys10 · SslMM · PsExec · Tasklist · Aria-body
Reporting (3)
- (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020 — ThreatConnect Inc. and Defense Group Inc
- The Naikon APT — Baumgartner, K., Golovkin, M.
- The MsnMM Campaigns: The Earliest Naikon APT Campaigns — Baumgartner, K., Golovkin, M.