Cyber Incident Victim: Western Australia Premier's Office
Date:
Jan 2020
Location:
Australia
Summary
A cyberespionage group linked to China's military, known as Naikon, targeted the Western Australia Premier's Office using a novel malicious tool called Aria-body delivered via a deceptive email impersonating the Indonesian Embassy. The malware enabled remote takeover of compromised systems, allowing attackers to exfiltrate, delete, or create files while conducting extensive data searches and evading detection. Cybersecurity researchers identified this campaign as part of a broader operation against multiple Asian-Pacific governments and state-owned technology entities, demonstrating advanced capabilities to infiltrate high-value targets for intelligence gathering. The tool's sophisticated evasion techniques and intrusive functionalities highlighted the group's ongoing development of offensive cyber infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 3, 2020, an email originating from the Indonesian Embassy in Australia was sent to a staff member of Western Australia Premier Mark McGowan’s office who handled health and ecological matters. The email contained a Microsoft Word document attachment that appeared legitimate to the recipient, as they recognized the purported sender. This document deployed a previously undetected cyberattack tool named Aria-body, which enabled remote takeover of the compromised computer. Aria-body possessed advanced capabilities including copying, deleting, or creating files; conducting extensive searches of the device’s data; and employing novel evasion techniques to avoid detection by security systems. The attack remained undetected until cybersecurity firm Check Point Software Technologies identified and analyzed the tool months later. Check Point attributed Aria-body to the Naikon hacking group, which has been previously linked to the Chinese military through historical cyberespionage activities. The initial breach targeted the Western Australian Premier’s Office infrastructure, though specific details about data exfiltrated or operational disruptions were not disclosed in available reports.
Check Point’s investigation revealed Naikon had used Aria-body in a broader campaign spanning several months prior to the January attack, targeting government agencies and state-owned technology companies across Indonesia, the Philippines, Vietnam, Myanmar, and Brunei. The cybersecurity firm characterized these operations as part of Naikon’s long-running cyberespionage activities, noting the group consistently updated its tools, built extensive offensive infrastructure, and penetrated multiple Asian and Pacific governments. The attacks highlighted the sophistication of China’s cyberespionage capabilities against regional neighbors, with Aria-body’s intrusive functionalities representing a significant evolution in the group’s tactics. A May 7, 2020 correction clarified that the Australian target was Premier McGowan’s office, not Prime Minister Scott Morrison’s federal office as initially misreported. No specific containment measures or technical responses by the Western Australian government were detailed in the source material, though the disclosure by Check Point enabled broader awareness of the threat actor’s methods and regional targeting patterns.