Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primarily targeting organizations in Southeast Asia and Australia. SentinelLabs assess that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. SentinelLabs track this activity as ‘Aoqin Dragon’.
SentinelLabs assess that this group appears to operate as an off-shoot of another prolific APT actor known as ‘Cactus’. Cactus has been active since at least 2013, and was recently disclosed by FireEye in the LightningStrikes campaign they revealed earlier in 2018. Cactus appears to be under the direction of the North Korean government, and may have been a training ground for Aoqin Dragon.
Aoqin Dragon has been active primarily against the Asian region, but has also conducted campaigns against victims in North America and Europe. This is likely due to being mainly focused on South Korea, Japan, Australia, and Vietnam.
The campaign began with spear phishing emails within Southeast Asia in early 2013. The spear phishing emails contained links directing a victims to a website hosted by a compromised web server, that downloaded malware and malware-infected documents from a remote server. The malware disguised itself as a PDF belonging to the International Atomic Energy Agency (IAEA), and was named ‘Report on Iran’s Nuclear Program.pdf’.
The website was hosted by the compromised web server of the victim. The malware used by Aoqin Dragon is designed to steal credentials from the victim’s system, making it easier for the threat actor to move laterally within their network. It has been reported that this group uses a mix of publicly available and custom tools for lateral movement.