Bad actors with suspected ties to China have been behind a wide-ranging cyberespionage campaign targeting military organizations in Southeast Asia for nearly two years, according to new research.
Attributing the attacks to a threat actor dubbed “Naikon APT,” cybersecurity firm Bitdefender laid out the ever-changing tactics, techniques, and procedures adopted by the group, including weaving new backdoors named “Nebulae” and “RainyDay” into their data-stealing missions. The malicious activity is said to have been conducted between June 2019 and March 2021.
“In the beginning of the operation the threat actors used Aria-Body loader and Nebulae as the first stage of the attack,” the researchers said. “Starting with September 2020, the threat actors included the RainyDay backdoor in their toolkit. The purpose of this operation was cyberespionage and data theft.”
Naikon (aka Override Panda, Lotus Panda, or Hellsing) has a track record of targeting government entities in the Asia-Pacific (APAC) region in search of geopolitical intelligence. While initially assumed to have gone off the radar since first exposed in 2015, evidence emerged to the contrary last May when the adversary was spotted using a new backdoor called “Aria-Body” to stealthily break into networks and leverage the compromised infrastructure as a command-and-control (C2) server to launch additional attacks against other organizations.
images from Hacker News