Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

Chinese Military Cyber Spies Just Caught Crossing A ‘Very Dangerous’ New Line

Thursday, May 7, 2020

Categories: ASCF News Emerging Threats Cyber Security

Comments: 0

“This is the most extensive operation we have ever reported by a Chinese APT group,” the cyber researchers at Check Point told me, warning just how “targeted and sophisticated” this five-year campaign had been. Multiple overseas governments have been compromised by this threat group’s cyber weapons, and those government systems have been used to attack other countries.

The military espionage group’s tactics, described by Check Point as “very dangerous,” involved hijacking diplomatic communication channels to target specific computers in particular ministries. The malware-laced communications might be sent from an overseas embassy to ministries in its home country, or to government entities in its host country. “The group has introduced a new cyber weapon crafted to gather intelligence on a wide scale, but also to follow intelligence officers directives to look for a specific filename on a specific machine.”

Meet Naikon, a cyber reconnaissance unit with links to the People’s Liberation Army, outed in a ThreatConnect and Defense Group Inc. report in 2015. Back then, the group’s operations were described as “regional computer network operations, signals intelligence, and political analysis of the Southeast Asian border nations, particularly those claiming disputed areas of the energy-rich South China Sea.”

And while Naikon has been seemingly quiet since then, nothing has changed. Check Point told me that it has actually been “penetrating diplomats’ PCs and taking over ministerial servers—making the group very successful in gathering intelligence from high-profile personnel and able to control critical assets.” The regional focus is the same. During those five-years, Naikon’s cyber weapons have targeted Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei.

Naikon’s stepping-stone approach, compromising one government to reach others, paints a clear picture of its sophistication here—this is beyond obfuscated false-flag operations. Check Point’s own investigation was triggered when “we observed a malicious email sent from a government embassy in APAC to the Australian government.” That RTF document was infected with ‘RoyalRoad’ malware, coded to drop files onto the infected computer which would then download others.

Check Point reported on this same exploit approach, also attributed to a Chinese APT, back in March—a number of documents disguised as coronavirus health warnings, purporting to come from the Mongolian government and targeting other public sector organizations inside the country. That exploit may have been similar, but the level of tradecraft was nowhere close to Naikon’s campaign.

“This is very sophisticated,” Check Point warns. “We saw [Naikon] spreading their malware through diplomatic emails between embassies and foreign governments to avoid detection of their communication with external, potentially malicious servers. They even took control of ministerial servers and turned them to their own.”

The ability to target a weapon at specific files on a specific individual’s machine in a specific government ministry can be a collection or deletion tool. “This is usually associated with nation states that want to rewind faulty actions and remove traces,” Check Point explains. And given the highly charged regional politics with China’s constant battle for influence and defensive superiority, playing neighbours with a mix of belt and road carrot and militaristic stick, this is notable.

“Check Point researchers have now blown Naikon’s cover,” the firm has said, “confirming that the group has not only been active for the past five years, but has also accelerated its cyber espionage activities. Naikon’s primary method of attack is to infiltrate a government body, then use that body’s contacts, documents and data to launch attacks on others, exploiting the trust and diplomatic relations between departments and governments to increase the chances of its attack succeeding.”

The campaign discovered by Check Point includes the sophisticated cyber weapon able to compromise government systems, but also an extensive intelligence operation that determined targets and crafted the lures that baited emails being sent from one government entity to another. Sitting inside the trusted ecosystem, those emails would slip the security nets. The crafted subject matters then had specifically targeted individuals in mind. “In one example, a server used in attacks belonged to the Philippine Government’s Department of Science and Technology.”

At the heart of Naikon’s campaign was the “Aria-body” loader, a malware dating back to 2017 that is designed to open a backdoor to the APT’s command and control servers. Once executed, the loader establishes itself in the startup folder or registry of the infected machine, and then downloads a more malicious remote access trojan (RAT) from its external server, before decrypting and installing it on the machine.

The Arian-body RAT can be instructed to create or delete files or entire directories, take screenshots, search across files and gather metadata, and even log locations and keystrokes. “Its purpose,” Check Point says, “is to gather intelligence and spy on the countries whose governments it has targeted. This includes locating and collecting specific documents from infected computers and networks, but also extracting data removable drives, and taking screenshots and keylogging.”

Check Point attributed the campaign to Naikon based on similarities between the code in these exploits and those reported back in 2015. “We’ve published this research as a warning and resource for any government entity to better spot Naikon’s or other hacker group’s activities,” the firm’s Lotem Finkelsteen said on publishing his team’s findings.

Source: Getty

Link: https://www.forbes.com/sites/zakdoffman/2020/05/07/chinese-military-cyber-spies-just-caught-crossing-a-very-dangerous-new-line/#2aa82b2ab3a9

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.

Search