China Attacks Government Organization in Southeast Asia

SOPHOS experts recently uncovered a sophisticated cyber espionage operation conducted by Chinese state entities, known as Crimson Palace. The operation was designed to maintain continuous access to government networks in Southeast Asia.

The cyber spies targeted critical IT systems, conducted surveillance on specific users, collected sensitive military and technical data, and deployed various malicious programs for remote control purposes.

While the specific government organization targeted was not disclosed, the country in question is engaged in ongoing territorial disputes with China in the South China Sea. This points to the possibility that the Philippines, which has previously been attacked by the Chinese group Mustang Panda, could be the target.

The Crimson Palace operation consists of three distinct activity clusters, some of which share similar tactics:

  • Alpha cluster (Stac1248) (March 2023 – August 2023): focused on reconnaissance of server subnets and Active Directory infrastructure. Similar to groups Backdoordiplomacy, Ref5961, Worok, and TA428.
  • Bravo cluster (Stac1870) (since March 2023): involved in lateral movement using actual accounts and deploying malicious tool Etherealgh0st. Shows similarities with UNFADING Sea Haze.
  • Cluster Charlie (Stac1305) (March 2023 – April 2024): utilizes Pocoproxy for access and Hui Loader for delivering Cobalt Strike. Intersects with Earth Longzhi (APT41 subgroup).

SOPHOS has identified this as a coordinated campaign orchestrated by a single group with an extensive arsenal of tools, diverse infrastructure, and multiple operators.

The operation stands out for its use of previously unknown malware like Pocoproxy and updated versions of well-known families of malicious programs. Techniques such as DLL Sideloading and unconventional evasion methods were employed by the attackers to bypass security measures.

SOPHOS has also conducted investigations into the indicators of compromise for each activity cluster. Additional details about the attacks are still being analyzed to gain a deeper understanding of the campaign.

Further information on this report can be found

/Reports, release notes, official announcements.