In its latest report, Sophos has uncovered a complex web of cyber espionage campaigns targeting a high-level government entity in Southeast Asia (SEA).
The investigation, detailed in “Operation Crimson Palace: Threat Hunting Unveils Multiple Clusters of Chinese State-Sponsored Activity Targeting Southeast Asia,” highlights the sophisticated and persistent nature of the attacks, believed to be orchestrated by Chinese nation-state groups.
The nearly two-year-long campaign, dubbed “Crimson Palace” by Sophos, involved three distinct clusters of activity, each utilizing a mix of custom and publicly available malware. The attackers focused on gathering sensitive political, economic, and military intelligence, aligning with Chinese strategic interests in the South China Sea.
“As Western governments elevate awareness about cyberthreats from China, the overlap Sophos has uncovered is an important reminder that focusing too much on any single Chinese attribution may put organizations at risk of missing trends about how these groups coordinate their operations,” said Paul Jaramillo, director, threat hunting and threat intelligence, Sophos. “By having the bigger, broader picture, organizations can be smarter about their defenses.
Alpha, Bravo, and Charlie
Sophos X-Ops’ threat hunting team first detected unusual activity on the targeted network in December 2022, attributed to the Chinese group Mustang Panda. This led to the identification of three distinct clusters — Alpha, Bravo, and Charlie — each deploying unique tactics, techniques, and procedures (TTPs).
Cluster Alpha, active from March to August 2023, employed a variety of malware, including an enhanced version of the EAGERBEE malware linked to the Chinese group REF5961. This cluster’s activities overlapped with several known Chinese threat groups, such as BackdoorDiplomacy, APT15, Worok, and TA428, illustrating the extensive sharing of tools and techniques among Chinese actors.
Cluster Bravo had a brief presence in March 2023, focusing on lateral movement within the network to deploy a backdoor named CCoreDoor. This backdoor established communication pathways with external servers, facilitating credential exfiltration and network discovery.
Chinese cyber espionage
Cluster Charlie has been active from March 2023 and remains operational. This cluster is notable for deploying a novel persistence tool, PocoProxy, which masquerades as a legitimate Microsoft executable. Cluster Charlie’s operations are linked to Earth Longzhi, a subgroup of the Chinese APT41, and have been focused on espionage, particularly in extracting large volumes of military and political data.
According to Sophos, its findings underscore the aggressive nature of Chinese cyber espionage in the region and the sophisticated coordination among different threat actors. The cybersecurity company said that the ongoing activity of Cluster Charlie suggests that the espionage campaign is far from over, posing a continued threat to the targeted organization.
Sophos plans to keep the intelligence community updated as they continue to monitor and investigate these activities.