- HEADLINES
- NEWS
- PAGE THREE
- COMMENTARY
- BUSINESS
- LIFE
- ACTION
- GLOBAL GOALS
- SNAPS
- DYARYO TIRADA
- MORE
British security software and hardware giant Sophos has released a report detailing highly sophisticated Chinese espionage operations that likely involved state entities.
The campaign revolves around the problem in the South China Sea and particularly targeted a government agency of a Southeast Asian nation that was not identified.
DAILY TRIBUNE has sought but has yet to get a response from Philippine security officials on whether the country being referred in the report could be the Philippines.
China has long been suspected of operating a spy network using the Internet but Sophos came up with plausible evidence of systematic operations involving its government.
The spike in spying operations happens from 8 a.m. to 5 p.m., Beijing time, which is the normal working hours in that country.
Sophos’ report called “Operation Crimson Palace: Threat Hunting Unveils Multiple Clusters of Chinese State-Sponsored Activity Targeting Southeast Asia,” details a highly sophisticated, nearly two-year-long espionage campaign against a high-level government target.
Sophos initiated an X-Ops investigation, which began in 2023, and found three distinct clusters of activity targeting the same organization.
Two of these activities included tactics, techniques, and procedures that overlap with well-known, Chinese nation-state groups: BackdoorDiplomacy, APT15 and the APT41 subgroup Earth Longzhi.
According to the Sophos report, the attackers’ operation involved reconnaissance on specific users as well as the gathering of sensitive political, economic, and military information, using a wide variety of malware and tools.
Sophos dubbed the malicious online campaign as “Crimson Palace.” The operation includes previously unseen malware, which Sophos named PocoProxy.
“Based on our analysis, we assess with moderate confidence that multiple distinct Chinese state-sponsored actors have been active in this high-profile Southeast Asian government organization since at least March 2022,” according to the report.
The Sophos investigation uncovered the work of “separate actors tasked by a central authority with parallel objectives in pursuit of Chinese state interests.”
Organized malice
Results of the probe showed “different clusters that appear to have been working in support of Chinese state interests by gathering military and economic intelligence related to the country’s strategies in the South China Sea.”
“Within just one of the three clusters that we identified — Cluster Alpha — we saw malware and tactics, techniques, and procedures (TTPs) overlap with four separately reported Chinese threat groups. It’s well-known that Chinese attackers share infrastructure and tooling, and this recent campaign is a reminder of just how extensively these groups share their tools and techniques,” according to the report.
As Western governments grapple with threats believed to emanate from China, the overlap that Sophos has uncovered “was an important reminder that focusing too much on any single Chinese attribution may put organizations at risk of missing trends about how these groups coordinate their operations,” the report noted.
Paul Jaramillo, director, of threat hunting and intelligence of Sophos said “By having the bigger, broader picture, organizations can be smarter about their defenses.”
Virtual commando ops
Sophos X-Ops first learned of the nefarious activity on the targeted organization’s network in December 2022 when they found a data exfiltration tool previously attributed to the Chinese threat group Mustang Panda.
From there, the probers began a broader hunt for malicious activity.
In May 2023, Sophos X-Ops threat hunting uncovered a vulnerable VMWare executable and, after analysis, three distinct clusters of activity in the target’s network: Cluster Bravo, Cluster Charlie and Cluster Alpha.
Cluster Alpha was active from early March to at least August 2023 and deployed a variety of malware focused on disabling AV protections, escalating privileges and conducting reconnaissance.
This included an upgraded version of the EAGERBEE malware that has been associated with the Chinese threat group REF5961.
Cluster Alpha also utilized TTPs and malware that overlap with the Chinese threat groups BackdoorDiplomacy, APT15, Worok and TA428.
Cluster Bravo was only active in the targeted network for three weeks in March 2023 and focused on moving laterally through the victim’s network to sideload a backdoor called CCoreDoor.
“This backdoor establishes external communications pathways for the attackers, performs discovery and exfiltrates credentials,” according to the Sophos report.
Cluster Charlie was active from March 2023 to at least April 2024, with a focus on espionage and exfiltration.
It included the deployment of PocoProxy: a persistence tool that masquerades as a Microsoft executable and establishes communications with the attackers’ command and control infrastructure.
Cluster Charlie worked to exfiltrate a large volume of sensitive data for espionage purposes, including military and political documents and credentials/tokens for further access within the network.
Cluster Charlie shares TTPs with the Chinese threat group Earth Longzhi, a reported subgroup of APT41. Unlike Cluster Alpha and Cluster Bravo, Cluster Charlie remains active.
“What we’ve seen with this campaign is the aggressive development of cyberespionage operations in the South China Sea. We have multiple threat groups, likely with unlimited resources, targeting the same high-level government organization for weeks or months at a time, and they are using advanced custom malware intertwined with publicly available tools,” the report indicated.
“They were, and are still, able to move throughout an organization at will, rotating their tools frequently. At least one of the activity clusters is still very much active and attempting to conduct further surveillance,” it said.
The investigation into the campaign demonstrates the importance of an efficient intelligence cycle, outlining how a threat hunt spawned from a raised detection can generate intelligence to develop new detections and jumpstart additional hunts, Sophos reported.
