LLMpediaThe first transparent, open encyclopedia generated by LLMs

DragonOK

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: USCYBERCOM Hop 4
Expansion Funnel Raw 76 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted76
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
DragonOK
NameDragonOK
Typecyber espionage group
AliasesFANCY BEAR?, Comment Crew?, UNC####
Originalleged East Asia
Active2009–present
Motivesintelligence collection, supply chain compromise
Typical targetstelecommunications, aerospace, defense, energy, research

DragonOK DragonOK is a cyber espionage threat actor linked by several cybersecurity firms and intelligence analysts to prolonged campaigns targeting telecommunications firms, aerospace suppliers, and research institutions. Analysts attribute a blend of bespoke tooling, living-off-the-land artifacts, and social engineering to the actor, noting overlaps with campaigns ascribed to other persistent actors such as APT10, OceanLotus, and Equation Group. Reporting on DragonOK has appeared in advisories from vendors like FireEye, Kaspersky Lab, Microsoft Threat Intelligence Center, and CrowdStrike.

Overview

DragonOK is characterized by targeted intrusions against high-value corporate and institutional networks, with an emphasis on exfiltration of intellectual property and sensitive communications. Observed tooling includes custom backdoors, credential harvesters, and proxying techniques that leverage legitimate services from providers such as Amazon Web Services, Dropbox, and GitHub. Campaigns attributed to the group employ spear-phishing tied to events and organizations including ASEAN summit, Shanghai Stock Exchange, and academic collaborations with Tsinghua University participants.

History and Development

Early activity attributed to DragonOK surfaced in the early 2010s amid compromises of suppliers to Boeing and vendors servicing China National Offshore Oil Corporation. Subsequent waves showed evolution from commodity malware like variants of Win32/PlugX and PoisonIvy to custom implants observed in reports by Symantec and Trend Micro. Notable developments include adoption of supply-chain techniques similar to those used in the CCleaner attack and the incorporation of lateral movement methods described in publications by Mandiant and SANS Institute. Over time the group has increased use of living-off-the-land binaries such as PowerShell and PsExec consistent with tactics cataloged by MITRE ATT&CK contributors.

Tactics, Techniques, and Procedures

DragonOK’s intrusion set commonly begins with tailored spear-phishing leveraging themes tied to Ministry of Industry and Information Technology announcements, procurement solicitations with Lockheed Martin suppliers, or academic conferences co-hosted by Peking University. Initial access methods include weaponized Microsoft Office documents exploiting CVEs reported by Microsoft and use of web shells on Apache HTTP Server or IIS infrastructure. Post-exploitation behavior features use of remote administration tools, credential dumping tools referenced by Mimikatz authors, file staging to services like Alibaba Cloud or Google Drive, and persistence via scheduled tasks and registry Run keys discussed in technical analyses by CERT teams. The group also uses custom C2 protocols and common tunneling utilities akin to those examined by Wireshark and Netcat researchers.

Targets and Campaigns

Documented DragonOK operations have focused on targets in the Asia-Pacific region, notably firms and institutions in China, Japan, South Korea, Vietnam, and Taiwan. Sectors most affected include telecommunications operators, aerospace subcontractors linked to Airbus and Rolls-Royce, energy firms working with Schlumberger, and research centers involved with quantum computing and nanotechnology. Specific campaigns have exploited industry events such as the Singapore Airshow and procurement cycles for 5G infrastructure, resulting in exfiltration of schematics, contracts, and correspondence described in reports by Palo Alto Networks and ESET.

Attribution and Connections

Attribution of DragonOK remains contested; multiple intelligence reports highlight overlaps with tools and infrastructure seen in operations ascribed to APT1, APT17, and state-linked units named in leaks tied to Unit 61398. Linkage arguments rest on code similarity, reuse of command-and-control gateways hosted in networks registered to entities cited in filings by Interpol, and targeting that aligns with national strategic interests chronicled by think tanks such as RAND Corporation and International Institute for Strategic Studies. Some researchers point to operational tradecraft parallels with Turla and Cozy Bear, while others emphasize distinctions in malware provenance emphasized in whitepapers from Krebs on Security and technical blogs by Graham Cluley.

Detection and Mitigation

Detection recommendations for DragonOK-style intrusions stress robust email filtering using indicators and YARA rules circulated by vendors like Cisco Talos and Fortinet, network monitoring for anomalous egress to cloud storage providers noted by AWS Security teams, and endpoint detection through heuristics implemented in Carbon Black and SentinelOne. Mitigation guidance emphasizes patch management for CVEs cataloged by CVE program entries, multi-factor authentication adoption advocated by NIST guidance, and supply-chain risk assessments promoted by ISO/IEC 27001 frameworks. Incident response playbooks from US-CERT and tabletop exercises developed by ENISA are commonly recommended to reduce dwell time and data loss.

Category:Cyber threat actors