Chinese espionage campaign targeting Southeast Asia revealed

A sophisticated two-year-long Chinese espionage campaign targeting a high-level government entity in Southeast Asia has been unveiled by cybersecurity firm, Sophos. The operation, termed 'Crimson Palace', employed previously unseen malware to gather sensitive political, economic, and military information. Sophos' investigation began in 2023 and revealed multiple clusters of activity targeting the same government organisation.

The espionage campaign was characterised by the deployment of a wide variety of malware and tools. Among these was a persistence tool named ‘PocoProxy’. According to the report, the operation saw tactics, techniques, and procedures (TTPs) echoing those of known Chinese state-sponsored groups such as BackdoorDiplomacy, APT15, and APT41’s subgroup Earth Longzhi.

The attackers designed their operation to collect detailed reconnaissance and sensitive data, likely in support of Chinese state interests, particularly concerning strategies in the South China Sea. Sophos identified three distinct clusters of activity: Cluster Alpha, Cluster Bravo, and Cluster Charlie. These clusters represent separate groups working in parallel, under a central directive to target the government entity.

Paul Jaramillo, Director of Threat Hunting and Threat Intelligence at Sophos, stated, “This recent campaign is a reminder of just how extensively these groups share their tools and techniques. By having the bigger, broader picture, organisations can be smarter about their defenses.”

The investigation by Sophos X-Ops originated from detecting malicious activity in December 2022, when a data exfiltration tool linked to the Chinese threat group Mustang Panda was found on the targeted network. Further analysis revealed three distinct clusters of activity. Cluster Alpha was active from early March to at least August 2023, utilising malware aimed at disabling antivirus protections, escalating privileges, and conducting reconnaissance. This cluster included upgraded versions of the EAGERBEE malware and shared TTPs with several Chinese threat groups like BackdoorDiplomacy and APT15.

Cluster Bravo, on the other hand, was active for a three-week span in March 2023, focusing on lateral movement within the network and the deployment of a backdoor named CCoreDoor. This backdoor facilitated external communications for the attackers and aided in credential exfiltration.

Cluster Charlie, which remains active, operated from March 2023 to at least April 2024. This cluster concentrated on espionage and the exfiltration of extensive data using PocoProxy. It targeted military and political documents and established communication with the attackers’ command and control infrastructure. TTPs used by Cluster Charlie closely align with those of Earth Longzhi, a subgroup of APT41.

Sophos' report underscores the aggressive nature of these cyber espionage operations, with multiple threat groups possessing extensive resources, targeting a high-level government organisation for prolonged periods. These groups employed advanced custom malware combined with publicly available tools to manoeuvre throughout the network and conduct surveillance.

Jaramillo commented, “Given how often these Chinese threat groups overlap and share tooling, it’s possible that the TTPs and novel malware we observed in this campaign will resurface in other Chinese operations globally. We will keep the intelligence community informed of what we find as we continue our investigations into these three clusters.”

As Western governments intensify awareness of cyber threats from China, the findings by Sophos serve as a crucial reminder of the need for comprehensive vigilance against such coordinated attacks. Understanding the broader collaboration and tool-sharing among Chinese threat groups could be vital in enhancing defence strategies for targeted organisations worldwide.