FYI.

This story is over 5 years old.

Tech

This Hacker Gang Writes 'Perfect' Social Engineering Emails

The cyberespionage campaign could’ve been prevented with simple fixes like patching outdated software.
Image: Arek Olek/Flickr

Sometimes all a hacker needs, even if she's among the best in the world, is a perfectly crafted email that gets her targets to take the bait and click on a malicious link or file—especially if the victims have not protected themselves properly.

That's how a group of hackers, who are likely linked to the Chinese government, spied on "top-level government agencies and civil and military organizations" in Malaysia, Singapore, and other countries in the South China Sea for at least five years. It's one of the most complex and successful cyberspying operations ever, at least in Asia, according to a new report by Kaspersky Lab.

Advertisement

The hackers, who took advantage of years-old exploits, hacked the victims thanks to "perfect" spear phishing messages, as Kurt Baumgartner, the lead researcher on the report, put it.

Despite the fact that their technical capabilities aren't as high as other groups, the gang known as Naikon is very good at social engineering, and that's pretty much all they need.

"These guys know how to convince people to let them in," Baumgartner told Motherboard. "And they certainly know what to do once they're in."

"These guys know how to convince people to let them in, and they certainly know what to do once they're in."

The secret of their spear phishing emails is that they're written in the language of the targets, and seem to be written by a native speaker, according to Baumgartner (Kaspersky did not publish any examples of emails). Once the victim opens a fake Microsoft Word document attached to the email, a remote access tool (RAT) is surreptitiously installed on the victim's computer. The RAT is capable of logging keystrokes and exfiltrating all kinds of files documents and documents.

For example, in the case of an unnamed "Country X"—Kaspersky declined to name given the sensitive nature of the hack—the hackers hit pretty much every high-level government organization, including the office of the president, the military, the department of justice, and the federal police, among others. Baumgartner said that Country X is not an exception but is rather representative of the majority of the victims, which highlights how effective the Naikon group has been so far.

Advertisement

But their social engineering prowess would've been useless if the victims had done "simple measures" to protect themselves, Baumgartner said.

Most of the victims, in fact, were hacked because they were using an old, outdated and vulnerable version of Microsoft Word, he said. Many government agencies all over the world are vulnerable to hackers because of their failure to patch their computer systems, as Motherboard reported recently in the case of the London's Metropolitan Police, which still relies on 14-year-old Windows XP.

It's clear that "they're not cybercriminals."

It's unclear exactly who's behind the Naikon group, but given their targets, it's clear that "they're not cybercriminals," Baumgartner said.

Rather, they're "likely" supported by a nation state, and appear to be Chinese-speaking, Baumgartner said, given that they use tools with interfaces in Chinese characters. The researcher declined to clearly point the finger at China, saying he and Kaspersky researchers "provide data that can support attribution, but we don't really do it ourselves."

Some of the activities of the Naikon group had already been exposed. Recently, Kaspersky itself revealed that another hacking group, known as Hellsing, had targeted Naikon in the first case of state-sponsored hacking groups going at each other. Hellsing, Naikon as well as another spy group named APT30 by FireEye all have same targets, so "sometimes they step on each other's toes" Baumgartner said.

The success of these groups, especially Naikon, shows that when organizations don't take security seriously, it makes a hacker's life easy.

This story has been edited to clarify that Baumgartner said the Naikon hackers appear to be "Chinese-speaking," not "Chinese."