A sophisticated China-linked threat actor has been orchestrating operations within China's internet infrastructure since at least 2019, according to new findings from cloud security firm Infoblox.

Dubbed “Muddling Meerkat,” the threat actor has been running a previously undisclosed multi-year operation that utilizes Domain Name System (DNS) queries, open DNS resolvers, and China's Great Firewall (GFW) to exert control over internet traffic.

The Great Firewall of China restricts access to websites and services deemed inappropriate or illegal by the Chinese government. But it is also known to inject false answers to DNS queries.

“Muddling Meerkat conducts active operations through DNS by creating large volumes of widely distributed queries that are subsequently propagated through the internet using open DNS resolvers. Their operations intertwine with two topics tightly connected with China and Chinese actors: the Chinese Great Firewall (GFW) and Slow Drip, or random prefix, distributed denial-of-service (DDoS) attacks,” the researchers wrote.

Muddling Meerkat uses a set of techniques in their operations. Those include:

• Utilizing servers within Chinese IP space to launch campaigns, issuing DNS queries for random subdomains to a diverse range of IP addresses, including open resolvers.

• Provoking responses from the GFW that deviate from normal behavior, suggesting a deep understanding of the firewall's mechanisms.

• Employing deceptive tactics such as false MX records from random Chinese IP addresses, a strategy previously unreported for the GFW or similar systems.

• Triggering DNS queries for short random hostnames across .com and .org domains, leveraging devices distributed globally.

• Leveraging "super-aged" domains registered before 2000 to evade DNS blocklists and camouflage their activities among old malware.

• Conducting campaigns lasting one to three days in a manner akin to ExploderBot, while evading detection by limiting campaign size and employing discrete components.

Despite the apparent similarities to Slow Drip distributed denial-of-service (DDoS) attacks, the motivations behind Muddling Meerkat's operations remain unclear.

“Muddling Meerkat is a Chinese nation-state actor performing deliberate and highly skilled DNS operations against global networks on an almost daily basis – and the full scope of their operation can not be seen in any one location,” the researchers said.