Threat Actor ProfileDouble Dragon

Origins

The origins of Double Dragon trace back to the Network Crack Program Hacker group (NCPH), a Chinese entity linked to various for-hire cyber operations between 2006 and 2012. The NCPH was founded by Tan Dailin, also known as Wicked Rose, after he was scouted by the PLA's Sichuan Military Command Communication Department while studying at university. Following intensive state-sponsored training, Dailin transitioned into the role of a hacker for hire and worked with at least three other individuals to conduct cyber operations on behalf of NCPH clients. The group was observed carrying out multiple zero-day attacks against US and Japanese entities by exploiting vulnerabilities in Microsoft Office products, as well as breaching the US Department of Defence (DoD) and Pentagon several times in 2006. During this time, NCPH members frequently detailed their activities on personal websites and in blog posts. This stopped in 2007, after which time the group moved further underground. By 2012, the NCPH's tactics, techniques and procedures (TTPs) had begun to overlap with other observed TTPs, prompting researchers to start tracking this new cluster as Double Dragon. Since then, Double Dragon has grown into one of the most prolific and versatile threat actors in operation today. 

Motivations

Double Dragon splits its time between state-sponsored espionage, likely on behalf of the PLA, and financially motivated cybercrime. This dual-purpose approach is uncommon among Chinese threat actors, who are typically tracked as operating in one space or the other. However, Double Dragon displays impressive versatility, its operations ranging from stealing video game currency to pulling off complex supply chain attacks involving high-profile targets. The group has been able to balance both objectives since about 2014. Because of its unusual structure, some experts have speculated that Double Dragon operates as a legitimate contracting company, possibly comprised of multiple teams with different goals. Clear links have been made between Double Dragon and the company Chengdu Si Lingsi (404) Network Technology, commonly referred to as Chengdu 404. Established in 2014, Chengdu 404 claimed to provide white hat hacking and technology services to international clients. It is believed that the company was used as a front for Double Dragon, facilitating access to intellectual property and sensitive information under the guise of legitimate activities.

Double Dragon’s observed operating hours also support the idea of the group as a contract organisation. Research by Mandiant indicates that Double Dragon typically conducts state-sponsored espionage during normal work hours (the 996-schedule typical of Chinese tech workers), while the group's financially motivated intrusions tend to occur much later at night. The observed pattern might suggest the existence of two separate teams, one tasked with espionage and one with turning a profit, or that Double Dragon approaches cybercrime in a more ad-hoc manner, viewing it as a side-business that can be done outside of work hours. Without any further information available, it is only possible to speculate on the group’s structure and true motivations.  

Targets

Double Dragon has been observed targeting businesses in a wide range of sectors across the world, as well as a selection of political and military organisations. It has launched cyberattacks against entities in more than 20 countries, including but not limited to: the United States, Japan, Taiwan, India, Thailand, China, Hong Kong, Mongolia, Indonesia, Vietnam, Bangladesh, Ireland, Brunei, Australia, Canada, France, and the United Kingdom. The group’s targeting tends to differ quite significantly depending on the purpose of the operation, be that state-sponsored espionage or profit-driven cybercrime. Unsurprisingly, clear links can be made between Double Dragon's state-sponsored campaigns and CCP policy decisions. Since 1953, the CCP has issued a series of Five-Year plans, which encompass a range of social and economic development initiatives. China‘s 13th and 14th Five Year plans (2016-2025) set targets for the domestic expansion of multiple sectors, including pharmaceuticals, biomedical devices, and high-tech. This coincided with Double Dragon attacks targeting the healthcare, medical research, and high-tech sectors. The group's activities also appear to be broadly aligned with the Made in China 2025 policy and the Belt and Road Initiative.  These policies aim to increase China's geopolitical influence by strengthening its economy, reinforcing its military, and reducing its reliance on Western imports. Double Dragon is one of several Chinese threat actors working covertly to support these objectives. The group has targeted a diverse array of sectors across the world and is most often leveraged for strategic intelligence gathering. The group is believed to use its global network of compromised systems as a "dragnet for information" that may be of interest to the CCP. Recent trends show an increase in the targeting of foreign states’ critical infrastructure, raising questions over Double Dragon's ability to impact national security.

Looking at Double Dragon's financially motivated hacking, the number of target industries shrinks considerably. Since its founding, the group has relentlessly targeted the video game sector, engaging in a range of activities that includes manipulating virtual currency, deploying ransomware, and infiltrating game production environments. Many of these activities, such as manipulating or stealing in-game currency, display a clear financial motive. However, the line between the group’s profit-driven and state-sponsored operations becomes blurry when considering the full spectrum of their activities against the video game sector. On multiple occasions, Double Dragon has been observed infiltrating game production environments, leveraging this access to inject malicious code into legitimate files for later distribution. These actions lack an immediate financial incentive and can instead been viewed as broadly malicious activities intended to support future campaigns. It appears that Double Dragon’s experience of accessing game production environments has actively supported the group’s state-sponsored work, allowing them to develop the TTPs that would be used in later supply chain compromises. Similarly, the line between Double Dragon’s state-sponsored and financially motivated operations blurs when looking at the tools they use. Notably, the group has been observed using non-public malware, which is associated with multiple China-nexus threat actors, in operations that seem to fall outside the scope of their state sponsored campaigns. This raises questions about the CCP’s tacit support for Double Dragon’s (seemingly) profit driven targeting of the video game sector. Why would the CCP tolerate activities with an explicit financial motive, which draw increased scrutiny to the group? Further, why would the CCP tolerate the use of malware that is typically reserved for espionage in operations that appear to be for personal gain? Hunt & Hackett believes this surprising duality highlights the group’s strategic importance to the Chinese state. Double Dragon is an extremely resourceful threat actor that can be characterised by high levels of innovation and a willingness to adapt its techniques until its objectives are met. Our observations suggest that Double Dragon may use the video game sector as an innovation sandbox, so to speak, where it can sharpen its tools for later use in state-sponsored campaigns. From the perspective of the CCP, the benefits of these operations likely outweigh the risks associated with their explicitly profit driven activities. As noted by Mandiant researchers, the unusual relationship between Double Dragon and the CCP underscores a "blurred line between state power and crime that lies at the heart of threat ecosystems."