Naikon is a threat group that has focused on targets around the South China Sea. The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau(Military Unit Cover Designator 78020). While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1016 - System Network Configuration Discovery||There is an opportunity to influence an adversary to move toward systems you want them to engage with.||DTE0011 - Decoy Content||A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.|
|T1137 - Office Application Startup||There is an opportunity to create a detection with a moderately high probability of success.||DTE0034 - System Activity Monitoring||A defender can collect system process information and look for abnormal activity tied to Office processes.|
|T1204 - User Execution||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0018 - Detonate Malware||A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.|
|T1518 - Software Discovery||There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations.||DTE0004 - Application Diversity||A defender can install an array of various software packages on a system to make it look used and populated. This will give an adversary a collection of software to interact with and possibly expose additional techniques.|
|T1566 - Phishing||A phishing email can be detected and blocked from arriving at the intended recipient.||DTE0019 - Email Manipulation||A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.|
|T1566 - Phishing||A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution.||DTE0023 - Migrate Attack Vector||A defender can move suspicious emails to a decoy system prior to opening and examining the email.|
|T1566 - Phishing||Users trained and encouraged to report phishing can detect attacks that other defenses do not.||DTE0035 - User Training||A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.|
|T1566 - Phishing||There is an opportunity to discover who or what is being targeting by an adversary.||DTE0015 - Decoy Persona||A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.|
|T1574 - Hijack Execution Flow||There is an opportunity to use security controls to stop or allow an adversary's activity.||DTE0032 - Security Controls||A defender can block execution of untrusted software.|