Sophos, a global leader in innovative security solutions, has released a report detailing a highly sophisticated, nearly two-year-long espionage campaign against a high-level government target in Southeast Asia.

The campaign, dubbed “Operation Crimson Palace,” involves three distinct clusters of activity, two of which include tactics, techniques, and procedures (TTPs) that overlap with well-known Chinese nation-state groups, including APT41 and BackdoorDiplomacy.

During the investigation, which began in December 2022, Sophos X-Ops found that the attackers designed their operation to gather reconnaissance on specific users and sensitive political, economic, and military information. The campaign utilised a wide variety of malware and tools, including previously unseen malware such as PocoProxy, a persistence tool.

Paul Jaramillo, director of threat hunting and threat intelligence at Sophos, emphasised the importance of having a broader picture of how these Chinese threat groups coordinate their operations to improve organisational defenses.

“The overlap Sophos has uncovered is an important reminder that focusing too much on any single Chinese attribution may put organisations at risk of missing trends about how these groups coordinate their operations,” said Jaramillo.

Three Distinct Clusters of Activity Identified

Sophos X-Ops first discovered malicious activity on the targeted organisation’s network in December 2022 and began a broader hunt for malicious activity. In May 2023, they uncovered three distinct clusters of activity:

Cluster Alpha: Active from March to August 2023, focusing on disabling AV protections, escalating privileges, and conducting reconnaissance. It utilised malware and TTPs overlapping with Chinese threat groups BackdoorDiplomacy, APT15, Worok, and TA428.

Cluster Bravo: Active for a three-week span in March 2023, focusing on lateral movement and deploying the CCoreDoor backdoor for external communications, discovery, and credential exfiltration.

Cluster Charlie: Active from March 2023 to at least April 2024, focusing on espionage and exfiltration using the PocoProxy persistence tool. It shares TTPs with the Chinese threat group Earth Longzhi, a reported subgroup of APT41, and remains active.

Jaramillo noted that given the frequent overlap and sharing of tooling among Chinese threat groups, the TTPs and novel malware observed in this campaign may resurface in other Chinese operations globally.

Aggressive Development of Cyberespionage Operations in the South China Sea

“What we’ve seen with this campaign is the aggressive development of cyberespionage operations in the South China Sea. We have multiple threat groups, likely with unlimited resources, targeting the same high-level government organisation for weeks or months at a time, and they are using advanced custom malware intertwined with publicly available tools,” said Jaramillo.

Sophos asserts with high confidence that the overall goal behind the campaign was to maintain access to the target network for cyberespionage in support of Chinese state interests.

This includes accessing critical IT systems, performing reconnaissance of specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control communications.

Sophos has released a detailed technical report on the three activity clusters and will continue to keep the intelligence community informed of their findings as they investigate further.

The post Sophos Uncovers Chinese Espionage Campaign, ‘Operation Crimson Palace’ in Southeast Asia appeared first on AIM.