Sophos exposes China-linked cyberespionage in Southeast Asia

Sophos, a security solutions company, has released a detailed report titled "Crimson Palace: New Tools, Tactics, Targets." The report delves into the activities of three separate clusters, Cluster Alpha, Cluster Bravo, and Cluster Charlie, linking them to a Chinese nation-state cyberespionage campaign in Southeast Asia.

According to the report, Sophos X-Ops has discovered a sophisticated keylogger, named "Tattletale," which can impersonate users. This novel keylogger is capable of gathering extensive information, such as password policies, security settings, cached passwords, browser information, and storage data.

Paul Jaramillo, the director of threat hunting and threat intelligence at Sophos, elaborated on the significance of their findings. "We have been in an ongoing chess match with these adversaries.

"During the initial phases of the operation, Cluster Charlie was deploying various bespoke tools and malware. However, we were able to 'burn' much of their previous infrastructure, blocking their Command and Control (C2) tools and forcing them to pivot," he said.

"This is good; however, their switch to open-source tools demonstrates just how quickly these attacker groups can adapt and remain persistent. It also appears to be an emerging trend among Chinese nation-state groups. As the security community works to secure our most sensitive systems from these attackers, it's important to share the insights into this pivot," Jaramillo said.

Cluster Charlie, which shares tactics, techniques, and procedures (TTPs) with the Chinese threat group Earth Longzhi, was active initially from March to August 2023 in a high-level government organisation in Southeast Asia. After a dormancy period of several weeks, the cluster re-emerged in September 2023 and continued its activities till at least May 2024, Sophos said.

During its renewed phase, Cluster Charlie focused on penetrating deeper into networks, evading endpoint detection and response (EDR) tools, and gathering further intelligence. The threat actors also began using tactics initially deployed by Cluster Alpha and Cluster Bravo, indicating that a single overarching organisation might be directing all three clusters. Sophos X-Ops has traced ongoing Cluster Charlie activities across multiple organisations in the region.

Cluster Bravo, which shares TTPs with the Chinese threat group Unfading Sea Haze, was originally active for three weeks in March 2023. The cluster resurfaced in January 2024, this time targeting at least 11 other organisations and agencies within Southeast Asia.

"Not only are we seeing all three of the 'Crimson Palace' clusters refine and coordinate their tactics, but they're also expanding their operations, attempting to infiltrate other targets in Southeast Asia. Given how frequently Chinese nation-state groups share infrastructure and tools, and the fact that Cluster Bravo and Cluster Charlie are moving beyond the original target, we will likely continue to see this campaign evolve—and in potentially new locations. We will be monitoring it closely," Jaramillo added.