fbpx
Techitup Middle East
B2B TechnologyCybersecurity

Sophos: Operation Crimson Palace – Expands in Southeast Asia

Sophos, released its report, “Crimson Palace: New Tools, Tactics, Targets,” which details the latest developments in a nearly two-year long Chinese cyberespionage campaign in Southeast Asia. Sophos X-Ops first reported on what they named Operation Crimson Palace in June and detailed Sophos X-Ops’ discovery of three separate clusters of Chinese nation-state activity—Cluster Alpha, Cluster Bravo and Cluster Charlie—inside a high-profile government organization. After a brief hiatus in August 2023, Sophos X-Ops noted renewed Cluster Bravo and Cluster Charlie activity, both within the initial targeted organization and in numerous other organizations within the region.

While investigating this renewed activity, Sophos X-Ops uncovered a novel keylogger that the threat hunters named “Tattletale,” which can impersonate users who have signed into the system and gather information related to password policies, security settings, cached passwords, browser information, and storage data. Sophos X-Ops also notes in the report that, in contrast to the first wave of the operation, Cluster Charlie increasingly switched to using open-source tools rather than deploying the types of custom malware they developed in the initial wave of activity.

Advertisement

Cluster Charlie, which shares tactics, techniques and procedures (TTPs) with the Chinese threat group Earth Longzhi, was originally active from March to August 2023 in a high-level government organization in Southeast Asia. While the cluster was dormant for several weeks, it re-emerged in September 2023 and was active again until at least May 2024. During this second stage of the campaign, Cluster Charlie focused on penetrating deeper into the network, evading endpoint detection and response (EDR) tools and gathering further intelligence. In addition to switching to open-source tools, Cluster Charlie also began using tactics initially deployed by Cluster Alpha and Cluster Bravo, suggesting that the same overarching organization is directing all three activity clusters. Sophos X-Ops has tracked ongoing Cluster Charlie activity across multiple other organizations in Southeast Asia.

Cluster Bravo, which shares TTPs with the Chinese threat group Unfading Sea Haze, was originally only active in the targeted network for a three-week span in March 2023. However, the cluster reappeared in January 2024, only this time it was targeting at least 11 other organizations and agencies in the same region.

To learn more, read “Chinese Cyberespionage Campaign Renews Efforts in Multiple Organizations in Southeast Asia, Blending Tactics and Expanding Efforts.”

Related posts

Sophos Announces Wi-Fi 6 Access Points to Support Shift to Hybrid Environments

Editor

New CIO Report: Six in 10 Businesses Struggle to Manage Cyber Risk 

Editor

ESET Research: Official Python Repository Served Cyberespionage Backdoor, Gathered 10,000+ Downloads 

Editor

Leave a Comment