While China has been known to have state-backed advanced persistent threat (APT) groups for many years, apparently not all of them have been accounted for. One of these cyber espionage teams, given the name “Aoqin Dragon,” has managed to go undetected since at least 2013.
The group is not entirely subtle in its approach, using pornography as a lure to get victims to click on malicious documents. Nevertheless it has had great success with this approach, usually paired with very quick movement to exploit new vulnerabilities as they are revealed to the public.
Chinese hackers thought to be state-backed, focused on targets and intelligence of interest to the CPC
Part of the APT group’s success is in quick but stealthy exploitation of published vulnerabilities, joining in the general global rush to scan for and hit targets that have not yet patched or remediated the issue. The Chinese hackers have a particular focus on Microsoft Office vulnerabilities that dates back to 2014. Their activity has been spotted by security researchers before, but never connected to other incidents in terms of identifying them as a persistent threat group.
The group’s interest is also entirely in cyber espionage rather than for-profit or destructive attacks. Their favorite bait appears to be a mocked-up pornographic newsletter that promises access to escort services. They have also been known to spearphish, however, crafting an official-looking document purporting to be from an organization the target is associated with.
The group’s cyber espionage approach has remained the same from its initial appearances to the present day. It seeks to embed itself in target networks quietly and stay there for a long time, exfiltrating sensitive files and spying on internal communications all the while. The Chinese hackers make use of DNS request trickery and encrypted channels to evade the attention of internal security as they funnel data out of compromised systems.
Cyber espionage campaign centered on specific parts of Asia Pacific
The Chinese hackers seem to be particularly focused on Australia, Cambodia, Hong Kong, Singapore, and Vietnam. The group almost exclusively targets government agencies, universities and telecommunications companies for its cyber espionage campaigns.
It most commonly attacks targets with malicious RTF and PDF files that contain known Microsoft Office exploits used to drop malware on Windows systems when opened. It has also been observed sending fake antivirus executables to its victims. The group may also work in tandem at times with a previously known threat actor called “Naikon” that has also been tied to the Chinese government. The two groups use very similar techniques to avoid automated anti-malware defenses.
While attributing cyber attacks to a government entity is always a sticky business at the best of times, security researchers are confident the Chinese hackers have state backing due to its laser focus on cyber espionage and the targets it selects. It does not seem to waste its time with anything that is not of current political interest to the Chinese government.