The DragonOK APT Group with Ties to China Keeps Revising Their Strategies and Tools
FireEye researchers first identified activities of cyber espionage in September 2014 and linked them to DragonOK, which was discovered to be sponsored by the Chinese government.
Two hacking campaigns were discovered at the time, and each was being run by two different groups that seemed to be working in different areas of China but doing so concurrently.
Moafee was the name of the first group and their targets were government and military entities that had some form of involvement in the dispute surrounding the South China sea. In a blog post, FireEye experts explained that the group attacked various entities and seemed to be working from the Guangdong Province. They attacked mainly organizations operating in the US defense industry.
DragonOK was the name of the second team and their operations revolved around corporate espionage targeting Taiwanese and Japanese companies in the manufacturing and high-tech industries.
It appears that the DragonOK group has once again become active. Recently, they attacked a number of organizations from Japan operating in different industries, including higher education, energy, technology, semiconductor, and manufacturing.
The principal target of this advanced persistent threat group seems to be Japan but there is evidence that these hackers also attacked entities and individuals in Tibet, Russia, and Taiwan.
Palo Alto Networks specialists explained that Sysget is one of the malware tools the group used to attack Taiwanese organizations.
This malicious code was sent through RTF documents but also directly through phishing emails. It triggered the flaw known by the tracking number CVE-2015-1641 that then took advantage of a distinctive shellcode. Experts discovered 3 new different and improved variants of Sysget that were harder to find and analyze by security software.
Palo Alto also stated they found that the hackers from DragonOK had also resorted to using IsSpace and TidePool malware tools as well.
The NFlog backdoor, which Moafee and DragonOK have both used in the past, seems to have evolved in IsSpace. TidePool was discovered in early 2016 when it was found as part of a series of attacks linked to Operation Ke3chang, another advanced persistent threat group hailing from China.
FireEye researchers discovered a group of hackers connected to China in 2013 that spied on ministries of foreign affairs across Europe. At the time, the operation was named “Operation Ke3chang.” In early 2016, the same group was discovered to be behind a series of attacks on employees working at Indian embassies all over the planet.
The TidePool malicious code was the tool DragonOK used in their attacks on Tibetan and Russian entities.
Palo Alto Networks experts published their analysis which also showed ties between the command and control domains of the different malicious codes DragonOK used, such as IsSpace, TidePool and Sysget, and various other Compromise Indicators.
Palo Alto Networks stated that the DragonOK group seems to be conducting a fair amount of activity and they have continued to revise their strategies and toolset. The tools they are using are being continuously modernized and are evolving in such a way that detecting and analyzing them is becoming increasingly difficult. Furthermore, they also explained that other malicious codes were being used, like TidePool. It seems that Japan is still the group’s main target, but it appears they are also looking to attack other areas, like Russia, Taiwan, and Tibet.