The Chinese cyber-espionage group known as Ink Dragon has significantly expanded its operations, targeting dozens of government and telecommunications organizations across Europe, Asia, and Africa, according to Technadu.
Check Point Research analysts report that the attackers specialize in exploiting vulnerabilities in Microsoft IIS and SharePoint servers, using system misconfigurations to gain covert access. Unlike groups seeking high-profile breaches, Ink Dragon focuses on slow, discreet intelligence gathering, allowing them to remain undetected within secure networks for years.
To gain initial access, the hackers exploit specific server vulnerabilities and then use employee credentials to move laterally within government systems. Ink Dragon employs sophisticated stealth techniques: their malware can hide command traffic within Microsoft cloud mailbox drafts, making malicious activity nearly indistinguishable from normal office operations. Once they obtain administrator privileges, the group deploys a suite of spy modules and backdoors that operate directly in memory without leaving traces on hard drives.
One of Ink Dragon’s most dangerous tactics is using victims’ own infrastructure to carry out further attacks. By compromising publicly accessible government servers, the hackers turn them into relay nodes, routing commands and stolen data through the network. This effectively conceals the true source of the attack and makes it nearly impossible to trace back to China. Such a distributed network allows the hackers to coordinate operations across multiple agencies, leveraging one state’s resources to strike another.
Experts emphasize that the Ink Dragon campaign represents a new level of sophistication in state-sponsored cyber operations. The attackers continuously refine their tools for long-term, covert espionage. Investigations revealed that in some European government networks, another Chinese hacker group, RudePanda, was operating alongside Ink Dragon. The fact that multiple independent groups exploit the same vulnerabilities in critical infrastructure underscores the systemic nature of the digital assault on Europe’s cyber borders.
