War upon us

The threat of espionage by foreign groups and the systematic way that this is undertaken is a growing concern that has taken a more threatening nature with recent revelations on online gambling hubs.

The Philippine Offshore Gaming Operator (POGO) complexes have been suspected of doubling as spying clusters, thus the huge money associated with them.

The funds are meant to stuff the mouths of politicians enough to keep them silent while the self-sustaining complexes generate funds through fraud likely to maintain their undercover missions within the country’s shores.

The Department of Foreign Affairs conceded that the government is chasing after snoops doing covert operations. The agency admitted the issue is an “area of concern” and that wide coordination is being undertaken in the government to counter it.

The Oxford, United Kingdom-based digital security outfit Sophos indicated that stopping cyber espionage operations in Southeast Asia that it traced to China is easier said than done.

It indicated that a state-sponsored cyber blitz would involve layers of experts that only China with its vast resources can employ.

A report called “Crimson Palace: New Tools, Tactics, Targets” said the latest developments in a nearly two-year-long Chinese cyber espionage campaign in Southeast Asia showed the campaign had swiftly evolved.

Sophos’ division called X-Ops first reported on what they named Operation Crimson Palace in June that attributed espionage in the region — although it refused to identify specifically targeted countries — to three separate clusters of “nation-state” activity that it tagged as Cluster Alpha, Cluster Bravo and Cluster Charlie “inside a high-profile government organization.”

It said that Operation Crimson Palace intensified after a brief hiatus in August 2023.

The main tool was the use of a keylogger or a malicious computer program that records every keystroke made by a user — that the Sophos threat hunters named “Tattletale.”

Thus, the hackers gather information related to password policies, security settings, cached passwords, browser information and storage data. Sophos X-Ops said that with the vast network and sophistication of the cyber espionage operations from China, it had a hard time keeping track of the army of hackers.

“We’ve been in an ongoing chess match with these adversaries,” said Paul Jaramillo, director of threat hunting and threat intelligence at Sophos.

“However, we were able to ‘burn’ much of their previous infrastructure, blocking their Command and Control (C2) tools and forcing them to pivot,” he added.

Nonetheless, the spies switched to open-source tools or those that the public can access for free.

“It demonstrates just how quickly these attacker groups can adapt and remain persistent. It also appears to be an emerging trend among Chinese nation-state groups. As the security community works to secure our most sensitive systems from these attackers, it’s important to share the insights into this pivot,” the Sophos expert indicated.

Based on the findings of the UK company, the initial wave of the threat was originally active from March to August 2023 in a high-level government organization in Southeast Asia, which was when the attacks on most government websites heightened.

After being dormant for several weeks, it re-emerged in September 2023 and was active again until at least May 2024.

During this second stage of the campaign, the operations tried to penetrate deeper into the network, evading endpoint detection and response tools and gathering further intelligence.

In addition to switching to open-source tools, the online attackers also began using tactics that the UK firm said were initially “suggesting that the same overarching organization is directing all three activity clusters. Sophos X-Ops has tracked ongoing activity across multiple other organizations in Southeast Asia.”

It warned that “all three of the Crimson Palace clusters have refined and coordinated their tactics, but they’ve also expanded their operations, attempting to infiltrate other targets in Southeast Asia.”

Clearly, the Philippines is now at war, albeit in a different dimension, but the threat of paralyzing a society largely reliant on the pace of technology, primarily communications, looms large.