A prolific China-linked threat group is turning misconfigured servers in European government networks into relay nodes, in order to hide its cyber-espionage activity, according to Check Point.
The security vendor claimed Ink Dragon had expanded similar operations in Asia and South America to the Old World, “through a series of quiet but disciplined campaigns.”
The group initially probes public-facing websites for weaknesses, looking for configuration issues in Microsoft’s IIS web server, SharePoint and other servers.
Once it has established a foothold, it moves quietly through the environment, collecting credentials from the compromised server, identifying active administrator sessions, and reusing shared or replicated service accounts to reach nearby systems. The group uses Remote Desktop to blend into normal traffic while moving laterally, Check Point explained.
Once the threat actors find an account with domain-level rights they “map the environment in detail, control policy settings, and deploy long-term access tools across high-value systems,” according to Check Point.
To establish persistence, they install a backdoor, deploy implants which store credentials and data, and look for new paths for remote access.
The Bigger Picture
The broader plan is to create a network of relay nodes to obfuscate the group’s cyber-espionage activity.
“One of Ink Dragon’s defining traits is how they use compromised organizations to support operations elsewhere. The group deploys a customized IIS based module that turns public-facing servers into quiet relay points. These servers forward commands and data between different victims, creating a communication mesh that hides the true origin of the attack traffic,” the report explained.
“Across incidents, the same story repeats. A small web facing issue becomes the first step. A series of quiet pivots leads to domain level control. The environment is then repurposed as part of a larger network that powers operations against additional targets. This measured approach shows how Ink Dragon combines discipline, consistency, and evolving tools to expand its reach over time.”
To achieve its goals, Ink Dragon continues to update its tooling, including a new version of the FinalDraft backdoor built for long-term access and to blend into Microsoft cloud activity, said Check Point.
The report also claimed that a second China-linked group, RudePanda, had entered some of the same European government networks and even exploited the same exposed server vulnerability.
“This overlap does not suggest cooperation,” Check Point concluded.
“However, it shows how a single unpatched weakness can become an open door for multiple advanced actors, each running its own campaign inside the same organization.”
It’s not just China using these tactics to build out covert, resilient networks for staging new attack campaigns. This week, AWS warned of a new Russian military intelligence campaign using misconfigured network edge devices for initial access.