GROUPS
  1. Home
  2. Groups
  3. Naikon

Naikon

Naikon is a threat group that has focused on targets around the South China Sea. [1] The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). [2] While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. [3]

ID: G0019
Aliases: Naikon
Version: 1.0

Alias Descriptions

NameDescription
Naikon[1] [2] [3]

Techniques Used

DomainIDNameUse
EnterpriseT1063Security Software DiscoveryNaikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[1]
EnterpriseT1016System Network Configuration DiscoveryNaikon uses commands such as netsh interface show to discover network interface settings.[1]

Software

IDNameTechniques
S0095FTPCommonly Used Port, Exfiltration Over Alternative Protocol
S0061HDoorDisabling Security Tools, Network Service Scanning
S0039NetAccount Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0108netshConnection Proxy, Disabling Security Tools, Netsh Helper DLL, Security Software Discovery
S0097PingRemote System Discovery
S0029PsExecService Execution, Windows Admin Shares
S0055RARSTONEFile and Directory Discovery, Process Injection, Remote File Copy, Standard Application Layer Protocol
S0058SslMMAccess Token Manipulation, Disabling Security Tools, Fallback Channels, Input Capture, Masquerading, Registry Run Keys / Startup Folder, Shortcut Modification, System Information Discovery, System Owner/User Discovery
S0060Sys10Custom Cryptographic Protocol, Permission Groups Discovery, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0096SysteminfoSystem Information Discovery
S0057TasklistProcess Discovery, Security Software Discovery, System Service Discovery
S0059WinMMFallback Channels, File and Directory Discovery, Process Discovery, Standard Application Layer Protocol, System Information Discovery, System Owner/User Discovery

References

  1. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
  2. ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015.
  1. Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.