Southeast Asia and Australia Orgs Targeted by Aoqin Dragon Hackers for Ten Years

  • A new advanced persistent threat (APT) actor dubbed Aoqin Dragon and reportedly based in China, has been linked to several hacking attacks against government, education and telecom entities mainly in Southeast Asia and Australia since 2013.

    The news comes from threat researchers Sentinel Labs, who published a blog post on Thursday describing the decade-long events.

    “We assess that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam,” wrote Joey Chen, threat intelligence researcher at SentinelOne.

    According to Sentinel Labs, Aoqin Dragon heavily relies on using document lures to infect users.

    “There are three interesting points that we discovered from these decoy documents,” Chen wrote.

    “First, most decoy content is themed around targets who are interested in APAC political affairs. Second, the actors made use of lure documents themed to pornographic topics to entice the targets. Third, in many cases, the documents are not specific to one country but rather the entirety of Southeast Asia.”

    From a technical standpoint, the malware uses a document exploit, tricking the user into opening a weaponized Word document to install a backdoor. Alternatively, users are lured into double-clicking a fake antivirus program that executes malware in the victim’s host.

    The malware also regularly uses USB shortcut techniques to install itself onto external devices and infect additional targets. Once in the system, the malware has been observed to operate through two main backdoors.

    “Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project,” Chen explained.

    In terms of attribution, Sentinel Labs said they came across several artifacts linking the activity to a Chinese-speaking APT group, including overlapping infrastructure with a hacking attack targeting Myanmar’s presidential website in 2014.

    “The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests,” Chen said.

    “Considering this long-term effort and continuous targeted attacks for the past few years, we assess the threat actor’s motives are espionage-oriented.”

    The Sentinel Labs advisory concludes by warning the global cybersecurity about Aoqin Dragon further.

    “We have observed the Aoqin Dragon group evolve TTPs several times in order to stay under the radar. We fully expect that Aoqin Dragon will continue conducting espionage operations. In addition, we assess it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network.”