China’s “Aoqin Dragon” gang has been on a decade-long spy campaign

Sentinel Labs threat researcher Joey Chen says he’s spotted a decade of cyberattacks that he’s happy to attribute to a single Chinese gang.

Chen has appointed the Aoqin Dragon Group, says its focus is espionage and it prefers targets in Australia, Cambodia, Hong Kong, Singapore and Vietnam.

The gang likes attacks that start by tricking users into opening poisoned Word documents that install a backdoor – often a threat named Mongall or a modified version of the Heyoka open source project.

The group’s lures have changed over the years. Sometimes its decoys are documented on regional political topics, while on other occasions the gang has used pornographic content as a decoy.

The initial incursion sometimes installs a fake removable device which, when clicked, installs malware. Fake antivirus apps are another tool deployed by the group.

After the gang compromises a machine, they seek access to the wider network so the gang can find juicy information.

Chen wrote that he saw Aoqin Dragon targeting “government, education, and telecommunication organizations.”

“Targeting Aoqin Dragon closely aligns with the political interests of the Chinese government,” he wrote, adding, “Given this long-term effort and the continued targeted attacks over the past few years, we believe that the threat actor’s motivations are focused on espionage”.

China is often credibly accused of using improper means to acquire secrets from the private sector and government organizations. Chen thinks Aoqin Dragon will continue his work. “We believe it is likely that they will also continue to advance their craft, find new methods to evade detection, and stay longer in their target network,” he wrote.

News of the group’s activities follows three US government agencies – the NSA, FBI and CISA – jointly announcing that Chinese-backed actors are attacking routers and network storage devices to exfiltrate data from carriers and service providers. network services.

The three agencies said the attacks target devices that failed to fix identified flaws between 2017 and 2021. Aoqin Dragon’s method of using malicious Microsoft Word documents also relies on users not doing what is needed and fix or upgrade their applications to safe editions. ®

Back To Top