Skip links

Chinese ‘Aoqin Dragon’ gang runs undetected ten-year espionage spree

Threat researcher Joey Chen of Sentinel Labs says he’s spotted a decade worth of cyber attacks he’s happy to attribute to a single Chinese gang.

Chen has named the group Aoqin Dragon, says its goal is espionage, and that it prefers targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

The gang is fond of attacks that start by inducing users to open poisoned Word documents that install a backdoor – often a threat named Mongall or a modified version of the open source Heyoka project.

The group’s lures have changed over the years. Sometimes its lures are document on regional political topics, while on other occasions the gang has used pornographic content as a lure.

The initial incursion sometimes installs a fake removable device that, when clicked, installs malware. Fake anti-virus apps are another tool the group deploys.

Once the gang compromises a machine, it seeks wider network access so the gang can find juicy info.

Chen wrote that he’s seen Aoqin Dragon target “government, education, and telecommunication organizations.”

“The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests,” he wrote, adding “Considering this long-term effort and continuous targeted attacks for the past few years, we assess the threat actor’s motives are espionage-oriented.”

China is often credibly accused of using foul means to acquire secrets from private sector and government organizations. Chen thinks Aoqin Dragon will continue its work. “We assess it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network,” he wrote.

News of the group’s activities follows three US government agencies – the NSA, FBI and CISA – jointly announcing that China-backed actors are attacking routers and network attached storage devices to exfiltrate data from carriers and network services providers.

The three agencies stated that the attacks target devices that haven’t patched flaws identified between 2017 and 2021. Aoqin Dragon’s method of using malicious Microsoft Word documents also relies on users not doing the right thing and either patching or upgrading their apps to safe editions. ®