Sophos has uncovered a sophisticated, nearly two-year Chinese cyber espionage campaign targeting a high-level Southeast Asian government entity, revealing three distinct clusters of malicious activity. The campaign, aimed at gathering sensitive information, showcases the extensive coordination and tool-sharing among Chinese state-sponsored threat groups.
6 June 2024 – Sophos, a leader in cybersecurity solutions, has released a report titled “Operation Crimson Palace: Threat Hunting Unveils Multiple Clusters of Chinese State-Sponsored Activity Targeting Southeast Asia,” detailing a complex and prolonged espionage campaign against a high-level government entity. The nearly two-year investigation by Sophos X-Ops’ managed detection and response (MDR) team uncovered three distinct clusters of activity, with two showing tactics, techniques, and procedures (TTPs) linked to well-known Chinese nation-state groups, including BackdoorDiplomacy, APT15, and APT41’s subgroup Earth Longzhi.
The campaign, named “Crimson Palace,” was aimed at gathering reconnaissance on specific users and extracting sensitive political, economic, and military information using a variety of malware and tools. One notable discovery was a previously unseen persistence tool dubbed PocoProxy.
Paul Jaramillo, director of threat hunting and threat intelligence at Sophos, emphasized the campaign’s alignment with Chinese state interests, focusing on intelligence related to South China Sea strategies. The operation featured coordinated efforts by three distinct clusters, each using shared infrastructure and tools, characteristic of Chinese cyber operations.
The malicious activity was first detected in December 2022 when Sophos X-Ops identified a data exfiltration tool attributed to the Chinese group Mustang Panda. A broader investigation in May 2023 revealed three clusters of activity within the target’s network: Cluster Alpha, Cluster Bravo, and Cluster Charlie.
Cluster Alpha operated from March to August 2023, deploying malware to disable antivirus protections, escalate privileges, and conduct reconnaissance. This cluster used an upgraded version of EAGERBEE malware, associated with the Chinese group REF5961, and showed overlaps with multiple Chinese threat groups.
Cluster Bravo was active for three weeks in March 2023, focusing on lateral network movement and deploying the CCoreDoor backdoor to establish external communication, perform discovery, and exfiltrate credentials.
Cluster Charlie has been active since March 2023 and remains operational. It deployed PocoProxy, a persistence tool masquerading as a Microsoft executable, to establish communication with command and control infrastructure and exfiltrate sensitive data. This cluster shares TTPs with Earth Longzhi, a subgroup of APT41.
Jaramillo highlighted the aggressive development of cyber espionage operations in the South China Sea, with multiple threat groups using advanced malware and tools to persist in high-level government networks. He warned of the ongoing threat these groups pose due to their shared resources and techniques, underscoring the importance of a broad, informed defensive strategy.
Sophos continues to monitor these clusters, sharing findings with the intelligence community to enhance global cybersecurity defenses.