Cybersecurity Researchers Link Hackers to Chinese Military

A new report by cybersecurity company ThreatConnect and open source intelligence company Defense Group Inc. (DGI) has linked a hacker collective known as EUNaikonEU with the Chinese military. The EUProject CAMERASHY: Closing the Aperture on ChinaEUs Unit 78020EU report documents China's efforts to spy on foreign governments, corporations, and military forces that it sees as threats.

The Naikon Advanced Persistent Threat group is part of ChinaEUs infamous Unit 78020, which has been linked with a number of different cyberattacks in the past, according to the report. The unit has been operating for almost five years, often targeting U.S. companies and partners through the use of malware attacks, spear phishing, and malicious attachments.

Reliance on E-Mail Attacks

Naikon was first identified in April 2012, when ShadowServer, a volunteer group of professional Internet security workers that gathers, tracks and reports on malware, botnet activity and electronic fraud, identified a then-unnamed group using a combination of spear-phishing lures obtained from the Hardcore Charlie data dump. (Hardcore Charlie, a hacker affiliated with the hacktivist group Anonymous, claimed to have broken into the IT systems of a Chinese military contractor and exposed documents related to the U.S. war effort in Afghanistan.)

The hacker collective gained mainstream awareness in June 2013 when TrendMicro published a detailed analysis of NaikonEUs Rarstone malware.

"Naikon APT supports Unit 78020EUs mandate to perform regional computer network operations, signals intelligence, and political analysis of the Southeast Asian border nations, particularly those claiming disputed areas of the energy-rich South China Sea," the report noted. The group appears to be specifically interested in attacking oil and gas infrastructure and companies.

ThreatConnect and DGI said that the Naikon APT relies on e-mail as an attack vector and precise social engineering to identify appropriate targets to get into target networks. Data collection prior to an attack has included...

Comments are closed.