Chinese spies hop from one hacked government network to another in Asia Pacific, researchers say

The report makes clear that, years after being exposed, Naikon’s hackers are singularly focused on delivering intelligence on China’s regional rivals.
south china sea
A photo of the South China Sea. (Getty)

Nearly five years ago, researchers unmasked a Chinese hacking group, pinpointing the unit of the People’s Liberation Army that was allegedly sponsoring it. The so-called Naikon group was key to China’s spying efforts in the South China Sea, targeting government agencies from the Philippines to Vietnam, said the report from companies ThreatConnect and Defense Group Inc.

Since then, there has been relatively little public documentation of Naikon as other China-linked groups — including one targeted by a U.S. Department of Justice indictment — have taken the limelight.

But on Thursday, analysts with Israeli cybersecurity company Check Point said that Naikon has been far from idle in recent months, trying to hack familiar government organizations in Australia, Indonesia, the Philippines, Vietnam, and other Southeast Asian countries. The espionage campaign, which has also hit state-owned companies in the region, accelerated in the last half of 2019 and into the first quarter of 2020.

Naikon has looked to hop from one compromised government network to another, rummaging around in infected computers for data and exfiltrating it, Check Point said. Taking control of the target government servers and email accounts has given Naikon a “very solid foothold” into the organizations, said Lotem Finkelshtein, threat intelligence group manager at Check Point.


In one case, the hackers breached an email account at an unnamed foreign embassy, and used that account to send a malware-laced document back to the host government. Check Point has informed each of the targeted governments of the hackers’ activity, Finkelshtein said.

Regional emphasis

The report makes clear that, years after being exposed, Naikon’s hackers are singularly focused on delivering intelligence on China’s regional rivals. It’s also an example of the array of hacking teams with regional and technical specialties that are available to the world’s cyber powers, including China, Russia, and the United States.

As China projects military and economic power in a bid for supremacy over the South China Sea, hacking groups such as Naikon have gathered data on regional rivals and allies alike. A Chinese espionage group known as Rancor, for example, has repeatedly tried to hack the Cambodian government, according to cybersecurity company Palo Alto Networks.

The Chinese Embassy in Washington, D.C., did not respond to a request for comment on Check Point’s findings. Beijing has previously denied engaging in offensive cyber-operations.


An Australian government spokesperson said the country’s cybersecurity agency had confirmed that the activity mentioned by Check Point did not affect the prime minister’s office or the federal government. The New York Times reported that the hackers had targeted a regional Australian government.

The governments of Indonesia, the Philippines and Vietnam did not immediately respond to a request for comment on the research. Australia, in particular, has been critical of suspected Chinese hacking operations.

Kurt Baumgartner, principal security researcher at Kaspersky, said Naikon continues to show much of the same “low to mid technical capabilities” that the group had five years ago, when he reported on Naikon. Since then, the group has been using multiple “backdoors,” or malicious code to retain access to a network, Baumgartner said. The Aria backdoor cited by Check Point has been in use since at least 2017, he added.

UPDATE, 9:57 p.m. EDT: This story has been updated with a statement from an Australian government spokesperson.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts