GROUPS
  1. Home
  2. Groups
  3. Naikon

Naikon

Naikon is a threat group that has focused on targets around the South China Sea. [1] The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). [2] While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. [3]

ID: G0019
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1063 Security Software Discovery Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[1]
Enterprise T1016 System Network Configuration Discovery Naikon uses commands such as netsh interface show to discover network interface settings.[1]

Software

ID Name References Techniques
S0095 FTP [1] Commonly Used Port, Exfiltration Over Alternative Protocol
S0061 HDoor [1] Disabling Security Tools, Network Service Scanning
S0039 Net [1] Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0108 netsh [1] Connection Proxy, Disabling Security Tools, Netsh Helper DLL, Security Software Discovery
S0097 Ping [1] Remote System Discovery
S0029 PsExec [1] Service Execution, Windows Admin Shares
S0055 RARSTONE [1] [2] File and Directory Discovery, Process Injection, Remote File Copy, Standard Application Layer Protocol
S0058 SslMM [1] [2] Access Token Manipulation, Disabling Security Tools, Fallback Channels, Input Capture, Masquerading, Registry Run Keys / Startup Folder, Shortcut Modification, System Information Discovery, System Owner/User Discovery
S0060 Sys10 [1] Custom Cryptographic Protocol, Permission Groups Discovery, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0096 Systeminfo [1] System Information Discovery
S0057 Tasklist [1] Process Discovery, Security Software Discovery, System Service Discovery
S0059 WinMM [1] [2] Fallback Channels, File and Directory Discovery, Process Discovery, Standard Application Layer Protocol, System Information Discovery, System Owner/User Discovery

References

  1. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  2. ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015.
  1. Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.