In a detailed blog post, Check Point researchers said Naikon's method of operation was to first infect a government institution, and then used the contacts it found there to infect others. A new backdoor named Aria-body was used to take control of victims' networks.
This backdoor is spread through infected Microsoft Word documents.
Naikon's infrastructure and one of its members were exposed by ThreatConnect and Defense Group in 2015. Thereafter, there was no report of activity by the group.
Within these countries, Naikon targeted the ministries of foreign affairs and science and technology plus public-sector companies, expanding its foothold by using one infected site as a staging post.
"In one case, a foreign embassy unknowingly sent malware-infected documents to the government of its host country, showing how the hackers are exploiting trusted, known contacts and using those them to infiltrate new organisations and extend their espionage network," Check Point claimed.
Another characteristic of Naikon was to use compromised servers as command-and-control centres to collect, relay and route stolen information.
The first infection observed by Check Point was through an email sent from a government embassy in the APAC region to an Australia state government, with the subject being The Indians Way.doc. This file was in the RTF format and contained an exploit builder known as RoyalRoad.
Another method of infection by Naikon included the use of archive files that carried a legitimate executable file and a malicious DLL which took advantage of executables like Outlook and Avast Proxy to load the malicious file.
And a third method was by directly sending an executable file which was used as a loader.
Naikon used GoDaddy as a hosting service for its C2 servers and Alibaba for hosting the infrastructure, Check Point claimed.
Previous investigations by Russian company Kaspersky were used to identify Naikon, Check Point said.