A threat group has expanded its operations from Asia and South America to target governments in Europe, according to Check Point research.
A Chinese-linked threat group, identified as “Ink Dragon,” is exploiting common vulnerabilities in Internet Information Services (IIS) servers. The group aims to establish a global espionage network that is challenging to monitor or disrupt, as reported by security vendor Check Point.
Also known by the monikers “Earth Alux” (Trend Micro) and “REF7707” (Elastic Security Labs), the group’s activities began in early 2023. Initially, it focused on governments in Southeast Asia and South America, but its scope has since broadened to include European nations.
Ink Dragon’s operational methods may resemble those of other Chinese threat groups involved in state-sponsored surveillance, such as UNC6384, which previously targeted European diplomats.
However, a recent investigation by Check Point into a European government office revealed that the group has adopted what researchers describe as “an unusually sophisticated playbook” with long-term objectives. Check Point’s findings indicate a shift in tactics.
A crucial element of this strategy involves IIS, Microsoft’s older web server platform, which remains prevalent in many networks, particularly within the public sector. IIS is attractive to attackers due to its widespread deployment and frequent misconfigurations or insecure setups.
The attack sequence begins with the compromise of an IIS server, granting attackers access to the internal network. From there, they gather local credentials and observe administrative sessions. These stolen credentials and Microsoft Remote Desktop are then used for lateral movement within the network, avoiding detection. Subsequently, the group installs a custom IIS module, transforming the compromised server into a covert “quiet” relay within its broader global infrastructure.
These compromised servers facilitate the forwarding of commands and data between various victims, creating a communication mesh that obscures the actual origin of the attack traffic, as explained by Check Point’s researchers.
Shadow infrastructure
The attack pursues two primary objectives: first, to compromise government servers and extract intelligence from their networks; and second, to utilize these compromised servers as relays for attack traffic to and from other infected systems. This dual approach significantly complicates the detection of the group’s command and control (C2) operations.
This strategy cleverly circumvents the challenges associated with relying on conventional C2 infrastructure, which is susceptible to takedown and disruption. Instead, the hijacked and trusted government servers effectively become the C2 infrastructure itself.
Check Point observed a consistent pattern across incidents: a minor web-facing vulnerability serves as the initial entry point. This is followed by a series of stealthy maneuvers that lead to domain-level control. The compromised environment is then repurposed as part of a larger network, supporting operations against additional targets. Furthermore, the group conceals its communications within ordinary mailbox drafts, making them appear as routine daily exchanges.
Interestingly, Check Point also discovered that RudePanda, another Chinese threat group, was simultaneously exploiting IIS vulnerabilities to compromise government servers. This resulted in RudePanda operating within the same compromised environments at the same time as Ink Dragon.
These findings highlight the persistent problem of IIS misconfiguration. While Check Point has provided the group’s indicators of compromise (IoCs), specific countermeasures were not detailed. However, several preventative actions can be considered: auditing IIS modules against a known good baseline, enabling advanced IIS logging, configuring IIS to mitigate common view state vulnerabilities, and deploying a web application firewall (WAF) in front of IIS servers.
