However, researchers surmise it is unlikely DDoS is the group’s ultimate goal, and that they may be performing reconnaissance or prepositioning in preparation for future attacks. Evidence has so far pointed to the threat group’s links with China due to their ability to control the Great Firewall (GFW). The research further shows that their operations:

    • Induce responses from GFW, including false MX records from the Chinese IP address space. This highlights a novel use of national infrastructure as a fundamental part of their strategy.
    • Trigger DNS queries for MX and other record types to domains not owned by the actor but which reside under well-known top-level domains such as .com and .org. This tactic highlights the use of distraction and obfuscation techniques to hide the real intended purpose.
    • Utilize super-aged domains, typically registered prior to the year 2000, enabling the actor to blend in with other DNS traffic and avoid detection. This further highlights the threat actor’s sophisticated understanding of DNS and existing security controls that is uncommon among threat actors today.