Check Point Research said in a report last Thursday the cyber espionage operation has been going on under the radar for years and is connected to Naikon Advanced Persistent Threat (APT) group, which cybersecurity firms like Kaspersky, ThreatConnect and Defense Group exposed in 2015 as having links to China.
The group's goal is to gather geo-political intelligence from government entities in Vietnam, Australia, Indonesia, Thailand, Myanmar, Brunei, and the Philippines. Its specific targets are ministries of foreign affairs and science and technology besides government-owned companies.
For instance, the group disguised one of its attacks as an email sent from a government embassy in Asia Pacific to the Australian government. Inside the malicious email was a file called "The Indians Way.doc" containing the backdoor Trojan, Aria-body.
Check Point said the Trojan can "not only locate and collect specific documents from infected computers and networks in government departments, but also extract data from removable drives, take screenshots and log keys, and of course harvest the stolen data for espionage."
Vietnam cybersecurity company VSEC said Naikon still uses the popular attack method of sending a decoy email with a malicious file. When the victim opens the email, the computer automatically installs the malware, helping hackers collect information, steal sensitive documents and attack other computers in the same system and elsewhere.
Naikon also turns victims' malware-infected devices and servers into a C2 server to launch new attacks targeting other government agencies.
Truong Duc Luong, a VSEC cybersecurity expert, said Naikon's return represents new threats to cybersecurity since it has likely silently studied and developed new, sophisticated and more dangerous attacks during the last five years when it was absent.
In the past hacker group APT30 also used malicious software to access computers "containing important political, economic and military intelligence" in Asia, mainly Vietnam, Thailand, South Korea, Malaysia, and India. The espionage campaign lasted 10 years before being discovered by security company FireEye in 2015.
The Department of Information Security said in the first four months of this year it recorded a total of 1,056 cyberattacks on Vietnam, a 51.4 percent year-on-year drop.