Suspected Chinese hackers are breaking into nearby military targets

The suspected PLA hackers are back in action.
The Chinese flag flaps in the wind in Shanghai, China. (Lucas Schifres/Pictobank)

Chinese hackers with suspected ties to the People’s Liberation Army have been hacking into military and government organizations in Southeast Asia over the course of the last two years, according to Bitdefender research published Wednesday.

The Chinese hackers, known as the Naikon group, have been conducting espionage against the organizations and stealing data from the victims since at least June of 2019, the researchers said in a blog post on the campaign. Bitdefender does not identify victims by name in its report.

It’s just the latest evidence security researchers have gathered in the last several years that Naikon, which was first exposed in 2015, is still actively conducting espionage years later. Just last year Check Point revealed the suspected Chinese hackers were running a hacking campaign targeting government entities in Australia, Indonesia, the Philippines and Vietnam.

Researchers have previously tied the Naikon hackers to China’s PLA, which is host to several hacking teams, according to the U.S. Department of Justice. Naikon has been bent on conducting espionage against regional countries, and in particular has focused on military, economic, diplomatic and government targets, according to security researchers.


In this most recent campaign, which Bitdefender says was active as recently as March of this year, the attackers used a technique known as sideloading, in which applications are installed without going through official application stores.

The Naikon hackers have specifically been relying on vulnerabilities with software including Outlook Item Finder, McAfee’s VirusScan On-Demand Scan Task Properties, Sandboxie COM Services and others to mask their malicious hacking techniques, according to Bitdefender.

The hackers used a backdoor, called RainyDay, to move around in compromised systems, retain access to them and upload files to Dropbox. To dupe victims, the tool masqueraded as a Chrome process, Bitdefender researchers said.

They also tapped into a new backdoor, called Nebulae, which allowed them to gather system information, manipulate files and download and upload files from the command-and-control server. Bitdefender said it suspects the Nebulae backdoor helps the Chinese hackers maintain persistence if the other portion of the campaign is uncovered.

In at least one case, the hackers also used a credential harvesting tool, the researchers said.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts