Chinese ‘Aoqin Dragon’ gang wages ten-year spy spree • The Register

Sentinel Labs threat researcher Joey Chen says he spent a decade uncovering cyberattacks that he likes to attribute to a single Chinese gang.

Chen has dubbed the group Aoqin Dragon, saying their target is espionage and that they favor targets in Australia, Cambodia, Hong Kong, Singapore and Vietnam.

The gang loves attacks that start by tricking users into opening poisoned Word documents that install a backdoor — often a threat called Mongall or a modified version of the open-source Heyoka project.

The group’s lures have changed over the years. Sometimes the lures are documents related to regional political issues, while on other occasions the gang has used pornographic content as bait.

The initial break-in sometimes installs a fake removable disk that, when clicked, installs malware. Fake antivirus apps are another tool used by the group.

Once the gang has compromised a machine, they look for broader network access so the gang can find vital information.

Chen wrote that he saw Aoqin Dragon attack “government, education and telecommunications organizations.”

“The targeting of Aoqin Dragon is closely aligned with the Chinese government’s political interests,” he wrote, adding, “Given these long-term efforts and the continuous targeted attacks over the past few years, we judge the attacker’s motives to be espionage-oriented.”

China is often credibly accused of using evil means to obtain secrets from the private sector and government organizations. Chen believes that Aoqin Dragon will continue his work. “We anticipate that they will likely continue to advance their craft, find new methods to evade detection, and remain in their target network longer,” he wrote.

News of the group’s activities follows three US government agencies — the NSA, the FBI, and CISA — jointly announcing that Chinese-backed actors are attacking routers and network-attached storage devices to exfiltrate data from carriers and network service providers.

The three agencies said the attacks are targeting devices that have not patched bugs detected between 2017 and 2021. Aoqin Dragon’s method of using malicious Microsoft Word documents also relies on users doing the wrong thing and either patching their apps or updating to safe editions. ®

About Willie Ash

Check Also

MediaTek Genio 1200 Linux System-on-Module supports Cortex-A78/A55 AIoT development kit

ADLINK Technology just introduced the SMARC 2.1 compliant LEC-MTK-I12000 System-on-Module (SoM) powered by a MediaTek …