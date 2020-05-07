On the morning of January 3, an email was sent from the Indonesian Embassy in Australia to a staff member of Prime Minister Scott Morrison working on health and ecological issues. A Word document was attached that did not arouse immediate suspicion, since the intended recipient knew the alleged sender.
The attached file contained an invisible cyber attack tool called Aria-body, which had never been detected before and had alarming new capabilities. Hackers who used it to remotely control a computer could copy, delete, or create files and conduct extensive searches for data on the device, and the tool had new ways to cover its tracks to avoid detection.
Now, a cybersecurity company in Israel has identified Aria's body as a weapon wielded by a group of hackers, called Naikon, which has previously been traced back to the Chinese military. And it was used against far more targets than the Australian prime minister's office, according to a report the company will release Thursday, Check Point Software Technologies.
In previous months, Naikon also used it to hack government agencies and state-owned technology companies in Indonesia, the Philippines, Vietnam, Myanmar and Brunei, according to Check Point, which said the attacks highlighted the breadth and sophistication of China's use of cyber espionage. against their neighbors.
"The Naikon group has been conducting a long-standing operation, during which it has updated its new cyber weapon over and over again, built extensive offensive infrastructure, and worked to penetrate many governments in Asia and the Pacific," said Lotem. Finkelstein, head of the cyber threat. intelligence group at Check Point.
What made these attacks so alarming, according to Check Point and other Chinese cyber espionage experts, were the intrusive capabilities of Aria-body, the group's new tool.
Aria-body could penetrate any computer used to open the file in which it was embedded and prompt the computer to quickly obey the instructions of hackers. That could include establishing a secret, hard-to-detect line of communication by which data on the target computer would flow to the servers used by the attackers.
It could also replicate the writing done by the target user, meaning that if the Australian attack had not been detected, the tool would have allowed the watchdog to see what a staff member was writing in the prime minister's office, in real time.
The Australian government, which has participated in a The contentious internal debate over concerns about Chinese interference did not immediately respond to questions about the report.
"We know that China is probably the single largest single source of cyber espionage that comes to Australia a long way," said Peter Jennings, a former Australian defense official who is the executive director of the Australian Institute for Strategic Policy.
Faced with such criticism in recent years, Beijing has argued that it opposes cyber attacks of any kind and that the Chinese government and military are not involved in piracy for the theft of trade secrets.
China's cyber espionage efforts have shown no signs of giving in globally and It may escalate as tensions with Australia, the United States and other countries mount over trade, technology and, more recently, disputes over the coronavirus pandemic. Experts say their goal is to steal large amounts of data from foreign governments and companies.
"This may be different in design, but all of these attacks serve the same purpose," said Matthew Brazil, a former US diplomat and author of a new book on Chinese espionage, which refers to Aria's body.
According to Check Point, the hacker used by Aria-body was able to take over the computer used by an Indonesian diplomat at the embassy in Canberra, the Australian capital. The hacker found a document the diplomat was working on, completed it, and then sent it to the staff member in the prime minister's office, armed with the Aria-body tool.
It was discovered only by simple human error.
The hacker who sent the email sent it to the wrong address. When the prime minister's office server returned it with a note saying the email address had not been found, the broadcast raised suspicions that something in the original message was suspicious, the authors of the Check Point report wrote. . That sparked the investigation that revealed the attempted attack, and his new weapon.
The hacking group appeared to operate as part of the military's Second Technical Reconnaissance Unit, Unit 78020, based primarily in the southern city of Kunming, according to ThreatConnect. He is said to be responsible for China's cyber operations and technological espionage in Southeast Asia and the South China Sea, where Beijing is embroiled in territorial disputes with its neighbors.
After the 2015 report revealed Naikon's main cyber weapons, the group seemed to disappear. Brazil, the former diplomat, said that China had since reorganized its cyber espionage forces, changing some of the People's Liberation Army to the Ministry of State Security, effectively dividing its duties between military intelligence and diplomatic and economic espionage.
The Check Point report suggests that Naikon may have remained active, although it is unclear whether he has broken out of the military chain of command.
Since the beginning of 2019, according to the Check Point report, the group has accelerated efforts to expand its online infrastructure. The hacking group has bought server space from Alibaba, the Chinese technology company, and domain names registered with GoDaddy, an American web hosting company.
In one case, Naikon seized a server from the Philippine Department of Science and Technology and used it to help hide the origin of a Naikon attack, making it appear as if it came from that server.
The group intruded on computers by hiding Aria's body in Microsoft Word documents and files installed by Microsoft Office programs. What made it difficult to discover was its ability to hide much more effectively than other similar tools.
Aria-body could bind various types of files as a parasite so that it did not have a set movement pattern. Your operators could change some of your code remotely, so that after attacking one computer, Aria-body would look different when it violated the next one. Such patterns are often telltale signs for security researchers.
"People sometimes cannot see the industrial strength capacity that China has to do this on a global scale," said Jennings, the former Australian defense official. "We are talking about tens of thousands of people operating in its signal intelligence unit and in the Ministry of State Security. China has the ability and long-established intention to do this where it believes it can extract useful information."
Check Point did not disclose all of the targets it said Naikon had infiltrated, but said they included embassies, ministries and state corporations dealing with science and technology.
"Throughout our investigation, we found that the group adjusted their signature weapon to search for specific files by name within the ministries involved," said Mr. Finkelstein, the Check Point expert. "This fact alone strengthens the understanding that there was an important, well-thought-out infrastructure and pre-op intelligence gathering."
Damien Cave contributed reporting.