Chinese 'Aoqin Dragon' gang runs undetected ten-year espionage spree

Researcher spots it targeting Asian government and telco targets, probably with Beijing's approval


Threat researcher Joey Chen of Sentinel Labs says he's spotted a decade worth of cyber attacks he's happy to attribute to a single Chinese gang.

Chen has named the group Aoqin Dragon, says its goal is espionage, and that it prefers targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

The gang is fond of attacks that start by inducing users to open poisoned Word documents that install a backdoor – often a threat named Mongall or a modified version of the open source Heyoka project.

The group's lures have changed over the years. Sometimes its lures are document on regional political topics, while on other occasions the gang has used pornographic content as a lure.

The initial incursion sometimes installs a fake removable device that, when clicked, installs malware. Fake anti-virus apps are another tool the group deploys.

Once the gang compromises a machine, it seeks wider network access so the gang can find juicy info.

Chen wrote that he's seen Aoqin Dragon target "government, education, and telecommunication organizations."

"The targeting of Aoqin Dragon closely aligns with the Chinese government's political interests," he wrote, adding "Considering this long-term effort and continuous targeted attacks for the past few years, we assess the threat actor's motives are espionage-oriented."

China is often credibly accused of using foul means to acquire secrets from private sector and government organizations. Chen thinks Aoqin Dragon will continue its work. "We assess it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network," he wrote.

News of the group's activities follows three US government agencies – the NSA, FBI and CISA – jointly announcing that China-backed actors are attacking routers and network attached storage devices to exfiltrate data from carriers and network services providers.

The three agencies stated that the attacks target devices that haven't patched flaws identified between 2017 and 2021. Aoqin Dragon's method of using malicious Microsoft Word documents also relies on users not doing the right thing and either patching or upgrading their apps to safe editions. ®

Broader topics


Other stories you might like

  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • China is trolling rare-earth miners online and the Pentagon isn't happy
    Beijing-linked Dragonbridge flames biz building Texas plant for Uncle Sam

    The US Department of Defense said it's investigating Chinese disinformation campaigns against rare earth mining and processing companies — including one targeting Lynas Rare Earths, which has a $30 million contract with the Pentagon to build a plant in Texas.

    Earlier today, Mandiant published research that analyzed a Beijing-linked influence operation, dubbed Dragonbridge, that used thousands of fake accounts across dozens of social media platforms, including Facebook, TikTok and Twitter, to spread misinformation about rare earth companies seeking to expand production in the US to the detriment of China, which wants to maintain its global dominance in that industry. 

    "The Department of Defense is aware of the recent disinformation campaign, first reported by Mandiant, against Lynas Rare Earth Ltd., a rare earth element firm seeking to establish production capacity in the United States and partner nations, as well as other rare earth mining companies," according to a statement by Uncle Sam. "The department has engaged the relevant interagency stakeholders and partner nations to assist in reviewing the matter.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Xi Jinping himself weighs in on how Big Tech should deploy FinTech
    Beijing also outlines its GovTech vision and gets very excited about data

    China's government has outlined its vision for digital services, expected behavior standards at China's big tech companies, and how China will put data to work everywhere – with president Xi Jinping putting his imprimatur to some of the policies.

    Xi's remarks were made in his role as director of China’s Central Comprehensively Deepening Reforms Commission, which met earlier this week. The subsequent communiqué states that at the meeting Xi called for "financial technology platform enterprises to return to their core business" and "support platform enterprises in playing a bigger role in serving the real economy and smoothing positive interplay between domestic and international economic flows."

    The remarks outline an attempt to balance Big Tech's desire to create disruptive financial products that challenge monopolies, against efforts to ensure that only licensed and regulated entities offer financial services.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading
  • OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
    Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

    The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

    OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

    But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

    Continue reading

Biting the hand that feeds IT © 1998–2022