SentinelLabs reports that it has newly discovered a China-linked APT named “Aoqin Dragon” that has been spying on organisations in Australia and South-East Asia for over a decade.
The SentinelLabs researchers have revealed that this new advanced persistent threat (APT) group linked to China had been discovered "only after conducting cyber espionage campaigns under the radar since 2013".
Dubbed "Aoqin Dragon", the Chinese hackers lure victims with malicious documents, according to SentinelLabs data, which appear to be salacious ads for pornography sites.
The cyber espionage group appears to have a heavy focus on certain APAC countries and regions that include Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Thought to be in action since at least 2013, the group targets government agencies, educational institutions and telecommunications firms, as well as individuals involved in political affairs.
According to SentinelLabs researchers, the Chinese hackers' main approach is "to get the victim to open malicious documents, such as PDF and RTF files", which has remained consistent over the years.
"Since 2018, the group has also been observed utilising fake removable devices via bogus shortcut files delivered to victims using Windows computers; when targets attempt to open the fake device in Windows Explorer, the Evernote Tray Application is hijacked to load a malicious DLL that quietly creates a backdoor for the attackers.
"The group has also been observed using fake antivirus executables," SentinelLabs researchers stated.
The Chinese hackers have also been tied to another threat group that has been tracked over the years, known as “UNC94” (or “Naikon”) by Mandiant, which has been attributed to the Chinese government in its operations. Both hacking groups have been known to use DNS tunnelling and the use of Themida-packed files to create a virtual machine that can evade most malware detection.
The use of Chinese language in its malware and the targets of its cyber espionage, SentinelLabs researchers added, "are almost always of clear political interest to the CCP". The group has also engaged in "for-profit activities" or "target selection that would be expected of a criminal outfit". The Chinese hackers have been leveraging published vulnerabilities, a strategy that could have assisted concealing their presence from security researchers for so long, despite the scope and length of their cyber espionage activities.
Exploiting known vulnerabilities in Microsoft Office has been a reliable strategy for the Chinese hacking group according to SentinelLabs data.
"In 2014, FireEye published an advisory about an attack campaign of this nature linked to intelligence gathering about the disappearance of Malaysia Airlines Flight MH370, which researchers now think may have been connected to Aoqin Dragon.
"These early attacks established some patterns that the Chinese hackers appear to have stuck with over the years.
"One is the use of salacious materials to bait the target into clicking, particularly fake pornographic newsletters that appear to offer access to escorts," SentinelLabs researchers stated.
In some cases, the Chinese hacking group "works almost entirely via email to conduct initial breaches", pretending to be a member of the target's organisation, "passing an internal document to them, such as the minutes of a meeting".
"The 'social engineering' element to it as it seems to select and craft material that the target will find catchy and engaging and be more likely to open without thinking too much about it," SentinelLabs researchers stated.
According to John Bambenek, principal threat hunter at Netenrich, the Chinese government has always done remarkable work in highly specific targeting designed to infect their espionage targets.
"They are spending real effort to do the research to make sure they can discreetly infect organisations and operate for extended periods of time without being discovered," Bambenek added.
The Chinese hacking group's approach reflects the Chinese government’s tactics to cyber espionage; very low-key and stealthy in comparison to stealing money (North Korea), or intentionally intimidating victims (Russia).
SentinelLabs researchers have also found that the Chinese hackers have been using two backdoors, Mongall and Heyoka, which have been around for some time, frequently used by other threat actors (Mongall has been in use since 2013). To disguise files being smuggled out of the target system, these backdoors use encrypted channels and spoofed DNS requests.
Scott Bledsoe, CEO at Theon Technology, points out that regular encryption of sensitive data is helpful, but does not necessarily replace patching as a strategy.
"The worst-kept secret that bad actors leverage is that any phishing or Trojan-based malware, regardless of delivery mechanism, still depends on the lack of encryption on the target system's data.
"Even relying on current established encryption approaches leaves organisations vulnerable to algorithmic decryption and/or quantum computer-based decryption faster than maybe expected."
To avoid becoming a victim, basic cyber security hygiene is needed according to SentinelLabs researchers.
"Careful review of emails to determine they are from legitimate sources, similar caution in downloading and opening attachments, and disabling common attack pathways in Windows such as device autorun and automatic loading of external resources in Office.
"It is also yet another example of the need for organisations to keep up with security patching, as advanced threat groups are finding plenty of traction in attacking unpatched systems," SentinelLabs researchers concluded.