Operation Crimson Palace, Chinese State-Sponsored Espionage, Expands in Southeast Asia, Sophos Report Finds
10 September 2024 - 11:30AM
Sept. 10, 2024 – Sophos, a global leader of innovative security
solutions for defeating cyberattacks, today released its report,
“Crimson Palace: New Tools, Tactics, Targets,” which details the
latest developments in a nearly two-year long Chinese
cyberespionage campaign in Southeast Asia. Sophos X-Ops first
reported on what they named Operation Crimson Palace in June and
detailed Sophos X-Ops' discovery of three separate clusters of
Chinese nation-state activity—Cluster Alpha, Cluster Bravo and
Cluster Charlie—inside a high-profile government organization.
After a brief hiatus in August 2023, Sophos X-Ops noted renewed
Cluster Bravo and Cluster Charlie activity, both within the initial
targeted organization and in numerous other organizations within
the region.
While investigating this renewed activity, Sophos X-Ops
uncovered a novel keylogger that the threat hunters named
“Tattletale,” which can impersonate users who have signed into the
system and gather information related to password policies,
security settings, cached passwords, browser information, and
storage data. Sophos X-Ops also notes in the report that, in
contrast to the first wave of the operation, Cluster Charlie
increasingly switched to using open-source tools rather than
deploying the types of custom malware they developed in the initial
wave of activity.
“We’ve been in an ongoing chess match with these adversaries.
During the initial phases of the operation, Cluster Charlie was
deploying various bespoke tools and malware,” said Paul Jaramillo,
director, threat hunting and threat intelligence, Sophos. “However,
we were able to ‘burn’ much of their previous infrastructure,
blocking their Command and Control (C2) tools and forcing them to
pivot. This is good; however, their switch to open-source tools
demonstrates just how quickly these attacker groups can adapt and
remain persistent. It also appears to be an emerging trend among
Chinese nation-state groups. As the security community works to
secure our most sensitive systems from these attackers, it’s
important to share the insights into this pivot.”
Cluster Charlie, which shares tactics, techniques and procedures
(TTPs) with the Chinese threat group Earth Longzhi, was originally
active from March to August 2023 in a high-level government
organization in Southeast Asia. While the cluster was dormant for
several weeks, it re-emerged in September 2023 and was active again
until at least May 2024. During this second stage of the campaign,
Cluster Charlie focused on penetrating deeper into the network,
evading endpoint detection and response (EDR) tools and gathering
further intelligence. In addition to switching to open-source
tools, Cluster Charlie also began using tactics initially deployed
by Cluster Alpha and Cluster Bravo, suggesting that the same
overarching organization is directing all three activity clusters.
Sophos X-Ops has tracked ongoing Cluster Charlie activity across
multiple other organizations in Southeast Asia.
Cluster Bravo, which shares TTPs with the Chinese threat group
Unfading Sea Haze, was originally only active in the targeted
network for a three-week span in March 2023. However, the cluster
reappeared in January 2024, only this time it was targeting at
least 11 other organizations and agencies in the same region.
“Not only are we seeing all three of the ‘Crimson Palace’
clusters refine and coordinate their tactics, but they’re also
expanding their operations, attempting to infiltrate other targets
in Southeast Asia. Given how frequently Chinese nation-state groups
share infrastructure and tools, and the fact that Cluster Bravo and
Cluster Charlie are moving beyond the original target, we will
likely continue to see this campaign evolve—and in potentially new
locations. We will be monitoring it closely,” said Jaramillo.
To learn more, read “Crimson Palace: New Tools, Tactics,
Targets” on Sophos.com. For details about Sophos’ threat hunting
and other services for disrupting cyberattacks, go to Sophos
Managed Detection and Response (MDR).
For an in-depth look at the threat hunting behind this nearly
two-year long cyber espionage campaign, register for the upcoming
webinar "Intrigue of the Hunt: Operation Crimson Palace: Unveiling
a Multi-Headed State-Sponsored Campaign" on Sept. 24 at 2 PM
ET:
https://events.sophos.com/operation-crimson-palace/.
Learn More About
- A cyberespionage campaign targeting a government organization
in Southeast Asia in Operation Crimson Palace: Threat Hunting
Unveils Multiple Clusters of Chinese State-Sponsored Activity
Targeting Southeast Asia
- The three clusters of threat activity involved in Operation
Crimson Palace
- The latest techniques, tactics and procedures (TTPs) of cyber
attackers in the Active Adversary Report for 1H 2024
- The biggest threats against small- and medium-sized businesses
in the 2024 Sophos Threat Report
- The use of threat activity clusters to identify patterns of
malicious activity
- Sophos’ Managed Detection and Response (MDR) and remediation
capabilities
- Sophos X-Ops and its groundbreaking threat research by
subscribing to the Sophos X-Ops blogs
About Sophos Sophos is a global leader and
innovator of advanced security solutions for defeating
cyberattacks, including Managed Detection and Response (MDR) and
incident response services and a broad portfolio of endpoint,
network, email, and cloud security technologies. As one of the
largest pure-play cybersecurity providers, Sophos defends more than
600,000 organizations and more than 100 million users worldwide
from active adversaries, ransomware, phishing, malware, and more.
Sophos’ services and products connect through the Sophos
Central management console and are powered by Sophos X-Ops,
the company’s cross-domain threat intelligence unit. Sophos X-Ops
intelligence optimizes the entire Sophos Adaptive Cybersecurity
Ecosystem, which includes a centralized data lake that leverages a
rich set of open APIs available to customers, partners, developers,
and other cybersecurity and information technology vendors. Sophos
provides cybersecurity-as-a-service to organizations needing fully
managed security solutions. Customers can also manage their
cybersecurity directly with Sophos’ security operations platform or
use a hybrid approach by supplementing their in-house teams with
Sophos’ services, including threat hunting and remediation. Sophos
sells through reseller partners and managed service providers
(MSPs) worldwide. Sophos is headquartered in Oxford, U.K. More
information is available at www.sophos.com.
Contact: Samantha Powers, sophos@walkersands.com