Lesson 1.1: China's Silver Dragon Razes Governments in EU, SE Asia - Dark Reading

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: China's Silver Dragon Razes Governments in EU, SE Asia - Dark Reading! Over the next 45 minutes, we will explore a sophisticated, state-aligned cyber espionage campaign targeting government bodies across Europe and Southeast Asia.

But first, let me tell you about Marcus Webb.

It's 3:17 PM on a Tuesday in late October. Marcus Webb, a senior network administrator at a government ministry in Brussels, is reviewing firewall logs. The office is quiet, the only sound the hum of servers from the adjacent data centre. He sips cold coffee, his screen a mosaic of green status lights and scrolling text.

A routine alert for an unusual outbound connection to an IP in Hong Kong catches his eye. It's tagged as low priority by the system—just a single HTTP request from a developer's workstation. He makes a note to check it later, assuming it's a misconfigured update check or a developer accessing a personal cloud drive.

He doesn't know that the request contained a beacon. He doesn't know the workstation was compromised two weeks prior via a spear-phishing email that looked like an internal memo. He dismisses the alert. That single decision, to treat an anomaly as routine, gives the attackers another 48 hours of unfettered access to sensitive diplomatic correspondence.

This is the story of a Data Breach. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: What is the Silver Dragon Campaign?

Think of a burglar who doesn't smash a window. They find a spare key under a flowerpot, let themselves in quietly, and spend weeks mapping the house, learning routines, and copying documents before anyone realises they were there. The Silver Dragon campaign operates on that principle of stealth and persistence.

Key Characteristics

The campaign, attributed to a China-nexus threat actor, focuses on government entities in the European Union and Southeast Asia. Its primary goal is espionage—the theft of sensitive political, economic, and strategic information.

Operations are patient. Initial access is often gained through highly targeted spear-phishing, exploiting public-facing applications, or compromising third-party software suppliers. Once inside, the attackers move slowly to avoid detection.

The impact is not immediate financial loss but long-term strategic erosion. Stolen data can influence negotiations, reveal intelligence-gathering methods, and compromise national security positions.

The Strategic Objective

Unlike financially motivated groups, Silver Dragon's activities align with state intelligence priorities. The targeting of specific government departments suggests a clear intent to gather information on foreign policy, defence partnerships, and trade negotiations.

Research suggests the group uses compromised networks not just for the data stored there, but as a jumping-off point to reach more sensitive, air-gapped systems within the same government ecosystem.

DORA Article 5-17 DORA's ICT risk management framework requires financial entities to identify, classify, and document all information assets and their dependencies. Understanding a threat like Silver Dragon, which targets specific data for espionage, is fundamental to this classification.

ISO A.5.1 ISO 27001 A.5.1 mandates that management provides direction and support for information security. Recognising advanced persistent threats (APTs) as a key risk informs the policies and objectives set by leadership.

Content Section 2: Technical Architecture of the Breach

Understanding the attack flow reveals why it's so effective. Let me show you exactly how Marcus's network was compromised.

Attack Flow

Step 1: Initial Access. A government staffer in a procurement office receives a spear-phishing email. It's impeccably crafted, referencing a real upcoming tender and appearing to come from a known colleague. The link leads to a cloned login portal that harvests credentials.

Step 2: Establishment. Using the stolen credentials, attackers access the staffer's Office 365 account. They use legitimate features like OneDrive and SharePoint to host their first-stage malware, making the traffic look normal.

Step 3: Lateral Movement. From the compromised workstation, they use tools like PowerShell and WMI to explore the network, identify high-value targets like file servers containing policy documents, and steal additional credentials from memory.

Step 4: Exfiltration. Small amounts of data are encrypted and sent out over common protocols (HTTPS, DNS) to cloud storage platforms, blending with regular user traffic. This happens intermittently over weeks or months.

Key Technical Components

The malware used is often 'living-off-the-land,' employing built-in system tools like PowerShell, Windows Management Instrumentation (WMI), and scheduled tasks. This leaves few malicious files on disk for antivirus to find.

Command and control (C2) communication is hidden using common web services and encrypted channels, making it hard to distinguish from legitimate cloud application traffic.

Why Traditional Defences Fail

Notice what all of these methods have in common. They exploit the gap between what a rule is designed to catch and what normal, legitimate behaviour looks like. The attack hides in plain sight.

Standard security tools are often configured to look for obvious threats. Here's how Silver Dragon bypasses them:

NIST ID.RA-1 NIST CSF ID.RA-1 requires identifying internal and external vulnerabilities. This attack flow demonstrates specific vulnerabilities: over-reliance on perimeter defences, lack of behavioural monitoring, and insufficient user training against spear-phishing.

NIS2 Article 21 NIS2 Article 21 mandates risk management measures. Understanding this technical architecture is necessary to implement measures like network segmentation, application whitelisting, and advanced threat hunting, which go beyond basic defences.

Content Section 3: Detection Mechanisms

Marcus's computer knew something was wrong. It just couldn't tell him. The system generated an alert, but it was weak and isolated. Effective detection for a campaign like Silver Dragon requires correlating weak signals across the environment.

Network-Level Indicators

Look for connections to newly registered or bulletproof hosting domains, especially in geographic regions not relevant to your business. A single connection might be noise, but a pattern is a signal.

Monitor for data exfiltration patterns: small, consistent outbound data transfers at odd hours (like 3 AM local time), or data flows encrypted with non-standard certificates.

Use network traffic analysis (NTA) tools to establish a baseline of normal traffic. Deviations, like a workstation suddenly communicating with a server it never has before, can indicate lateral movement.

Endpoint-Level Indicators

Monitor for unusual process chains: for example, Microsoft Word spawning PowerShell, which then makes a network connection. This is a classic living-off-the-land technique.

Look for suspicious scheduled tasks or new services created via command line, often used by attackers to maintain persistence on a compromised host.

Enable detailed command-line auditing and process creation logging. The specific arguments used in a PowerShell command can be a clear indicator of malicious intent.

Identity Provider Signals

In cloud environments like Azure AD, monitor for impossible travel scenarios: a user logging in from London and then Hong Kong within an hour.

Look for a surge in failed logins followed by a success from an unusual location, or the use of an unfamiliar device to access highly sensitive resources.

Pay attention to consent grants for new third-party applications in OAuth, which attackers can use to maintain access even if passwords are reset.

SOC2 CC6.1 SOC 2 CC6.1 requires logical access controls to protect assets. These detection mechanisms for anomalous logins, unusual process behaviour, and unexpected data flows provide the monitoring necessary to demonstrate those controls are operating effectively.

GDPR Article 32 GDPR Article 32 requires a level of security appropriate to the risk, including the 'ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems.' Implementing these detection mechanisms is part of fulfilling that 'ability' to protect personal data from sophisticated breaches.

Content Section 4: Compliance Documentation

Compliance documentation is often seen as a checkbox exercise. But in the wake of a breach, it's your evidence of due diligence. It's the difference between showing you were negligent and showing you were defeated by a sophisticated adversary despite reasonable defences.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that your ICT risk management framework considers advanced persistent threat (APT) actors as a material risk, and that staff training includes specific reference to state-aligned espionage campaigns.

For ISO A.5.1 auditors... For ISO 27001 assessors, you can evidence that management has been informed of the threat landscape, including campaigns like Silver Dragon, and that this has influenced the organisation's information security policy and objectives.

For NIST ID.RA-1 auditors... For NIST CSF reviewers, you can show a documented understanding of the vulnerabilities exploited by living-off-the-land techniques and credential phishing, which feeds into your organisation's risk assessment process.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified

Conclusion

Let me tell you how Marcus's story ended.

The breach was discovered three days later by an external threat intelligence firm monitoring C2 servers. By then, several gigabytes of sensitive data had been exfiltrated. Marcus faced a disciplinary hearing. While he kept his job, his promotion was put on hold, and the incident followed him for years, a mark on his record.

His organisation eventually invested in an EDR platform, implemented stricter application whitelisting, and mandated phishing simulation tests for all staff. They also started a 24/7 Security Operations Centre (SOC) to correlate the weak signals that Marcus had seen in isolation.

But it doesn't have to be your story. That's why we're here.

You should now understand the patient, espionage-driven nature of the Silver Dragon campaign. You understand how it bypasses traditional defences by hiding in legitimate traffic and tools. You know the key detection indicators to look for across network, endpoint, and identity systems. And you understand how mapping your defences against this threat directly supports major compliance requirements.

Next, we'll explore Next, we'll explore Lesson 1.2: The Attacker's Playbook: Reverse Engineering a Phishing Kit. We'll break down exactly how attackers craft the emails that start breaches like this one.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key detection indicators for China's Silver Dragon campaign—including unusual PowerShell chains, beaconing to suspicious regions, and impossible travel logins—and immediate isolation steps on a single page.
• Compliance Mapping Worksheet - Map your organisation's controls against spear-phishing and advanced persistent threats to the specific DORA, NIST CSF, and ISO 27001 requirements discussed in this lesson.
• Risk Assessment Template - Assess your organisation's specific exposure to state-aligned espionage based on the government sector targeting and living-off-the-land techniques covered in this lesson.
• Further reading - Links to official advisories from NCSC and ENISA on APT threats, and framework documentation for NIST CSF and ISO 27001 controls related to threat intelligence and detection.

China's Silver Dragon Razes Governments in EU, SE Asia - Dark Reading Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026