Skip to content

G0019 Naikon

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).1 Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).12

While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.3

Item Value
ID G0019
Associated Names
Version 2.0
Created 31 May 2017
Last Modified 19 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Naikon has modified a victim’s Windows Run registry to establish persistence.4
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Naikon has used DLL side-loading to load malicious DLL’s into legitimate executables.5
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Naikon renamed a malicious service taskmgr to appear to be a legitimate version of Task Manager.4
enterprise T1036.005 Match Legitimate Name or Location Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.4
enterprise T1046 Network Service Discovery Naikon has used the LadonGo scanner to scan target networks.4
enterprise T1137 Office Application Startup -
enterprise T1137.006 Add-ins Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.5
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Naikon has used malicious e-mail attachments to deliver malware.5
enterprise T1018 Remote System Discovery Naikon has used a netbios scanner for remote machine identification.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Naikon has used schtasks.exe for lateral movement in compromised networks.4
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.2
enterprise T1016 System Network Configuration Discovery Naikon uses commands such as netsh interface show to discover network interface settings.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Naikon has convinced victims to open malicious attachments to execute malware.5
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts Naikon has used administrator credentials for lateral movement in compromised networks.4
enterprise T1047 Windows Management Instrumentation Naikon has used WMIC.exe for lateral movement.4

Software

ID Name References Techniques
S0456 Aria-body 54 Create Process with Token:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Web Protocols:Application Layer Protocol Application Window Discovery Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Data from Removable Media Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Native API Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Proxy Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery
S0095 ftp 2 Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0061 HDoor 2 Disable or Modify Tools:Impair Defenses Network Service Discovery
S0630 Nebulae 4 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Symmetric Cryptography:Encrypted Channel File and Directory Discovery DLL Side-Loading:Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Native API Non-Application Layer Protocol Process Discovery System Information Discovery
S0039 Net 24 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0108 netsh 2 Netsh Helper DLL:Event Triggered Execution Disable or Modify System Firewall:Impair Defenses Proxy Security Software Discovery:Software Discovery
S0097 Ping 24 Remote System Discovery
S0029 PsExec 2 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0629 RainyDay 4 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Fallback Channels File and Directory Discovery DLL Side-Loading:Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Masquerade Task or Service:Masquerading Native API Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Proxy Scheduled Task:Scheduled Task/Job Screen Capture System Service Discovery
S0055 RARSTONE 21 File and Directory Discovery Ingress Tool Transfer Non-Application Layer Protocol Dynamic-link Library Injection:Process Injection
S0058 SslMM 21 Access Token Manipulation Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Fallback Channels Disable or Modify Tools:Impair Defenses Keylogging:Input Capture Match Legitimate Name or Location:Masquerading System Information Discovery System Owner/User Discovery
S0060 Sys10 2 Web Protocols:Application Layer Protocol Symmetric Cryptography:Encrypted Channel Local Groups:Permission Groups Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0096 Systeminfo 2 System Information Discovery
S0057 Tasklist 2 Process Discovery Security Software Discovery:Software Discovery System Service Discovery
S0059 WinMM 21 Web Protocols:Application Layer Protocol Fallback Channels File and Directory Discovery Process Discovery System Information Discovery System Owner/User Discovery

References

  1. ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China’s Unit 78020. Retrieved December 17, 2015. 

  2. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  3. Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015. 

  4. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  5. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.