A new advanced persistent threat (APT) group linked to China has been discovered by SentinelLabs, but only after conducting cyber espionage campaigns under the radar since 2013. The Chinese hackers have been given the name “Aoqin Dragon,” appear to specialize in targeting the Asia Pacific region and likes to lure victims with malicious documents that appear to be salacious ads for pornography sites.
Stealthy Chinese hackers focused on Australia and Southeast Asia
The cyber espionage group is thought to have been in action since at least 2013, with a heavy focus on certain APAC countries and regions: Australia, Cambodia, Hong Kong, Singapore, and Vietnam. The group also focuses in on government agencies, educational institutions and telecommunications firms, and appears to target individuals involved in political affairs.
The group’s favorite approach is a fairly simple one, and has remained consistent over the years: get the victim to open malicious documents, such as PDF and RTF files. Since 2018 the group has also been observed utilizing fake removable devices via bogus shortcut files delivered to victims using Windows computers; when targets attempt to open the fake device in Windows Explorer, the Evernote Tray Application is hijacked to load a malicious DLL that quietly creates a backdoor for the attackers. The group has also been observed using fake antivirus executables.
The Chinese hackers have shown some connections to another threat group, referred to as “UNC94” (or “Naikon”) by Mandiant, that has been tracked for some years now and has also shown links to the Chinese government in its operations. Both groups employ advanced tactics, such as DNS tunneling and the use of Themida-packed files to create a virtual machine that can evade most malware detection.
The link to the Chinese government is based primarily on the group’s use of Chinese language in its malware and the targets of its cyber espionage, which are almost always of clear political interest to the CCP. The group is also not noted for engaging in the for-profit activities or target selection that would be expected of a criminal outfit.
Cyber espionage targets, tools and tactics point to low-key Chinese government operation
The Chinese hackers also have a predilection for using published vulnerabilities, something that may have aided in staying hidden from security researchers for so long despite the scope and length of their cyber espionage activities.
In the first few years of its operation, the cyber espionage team most frequently exploited known vulnerabilities in Microsoft Office. In 2014 FireEye published an advisory about an attack campaign of this nature linked to intelligence gathering about the disappearance of Malaysia Airlines Flight MH370, which researchers now think may have been connected to Aoqin Dragon.
These early attacks established some patterns that the Chinese hackers appear to have stuck with over the years. One is the use of salacious materials to bait the target into clicking, particularly fake pornographic newsletters that appear to offer access to escorts. The group also sometimes pretends to be a part of the target’s organization passing an internal document to them, such as the minutes of a meeting. Though the group works almost entirely via email to conduct initial breaches, there is something of a “social engineering” element to it as it seems to select and craft material that the target will find catchy and engaging and be more likely to open without thinking too much about it.
The group has stuck with this approach through 2021, focusing heavily on scanning for unpatched systems with known vulnerabilities in recent years. The group’s modus operandi also reflects the Chinese government’s approach to cyber espionage; very low-key and stealthy, unlike some other nations that tip their hand by stealing money (North Korea) or intentionally intimidating victims (Russia). As John Bambenek, Principal Threat Hunter at Netenrich, notes: “The Chinese government has always done remarkable work in highly-specific targeting designed to infect their espionage targets. They are spending real effort to do the research to make sure they can discreetly infect organizations and operate for extended periods of time without being discovered.”
The Chinese hackers also use two backdoors, Mongall and Heyoka, that have been around for quite some time and are used by other threat actors (Mongall has been in use since 2013). These backdoors use advanced techniques such as encrypted channels and spoofed DNS requests to disguise the fact that files are being smuggled out of the target system.
While the Chinese hackers have had remarkable success in evading detection, some fairly basic elements of cybersecurity hygiene are really all that is needed to stop them: careful review of emails to determine they are from legitimate sources, similar caution in downloading and opening attachments, and disabling common attack pathways in Windows such as device autorun and automatic loading of external resources in Office. It is also yet another example of the need for organizations to keep up with security patching, as advanced threat groups are finding plenty of traction in attacking unpatched systems. Scott Bledsoe, CEO at Theon Technology, points out that regular encryption of sensitive data is helpful but does not necessarily replace patching as a strategy: “The worst kept secret that bad actors leverage is that any phishing or trojan-based malware, regardless of delivery mechanism, still depends on the lack of encryption on the target system’s data. Even relying on current established encryption approaches leaves organizations vulnerable to algorithmic decryption and/or quantum computer-based decryption faster than may be expected.”