China-based cyber espionage campaign in SE Asia is expanding, says Sophos

CISOs in Southeast Asia should be on alert after the discovery that a suspected Chinese-based cyber espionage campaign that started last year is expanding its scope.

The warning today comes from researchers at Sophos, in a new report on activity it dubs Operation Crimson Palace. Initially the campaign — made up of clusters of activity by three attack groups — targeted what researchers said was a prominent agency of an unnamed country in Southeast Asia in 2023.

The three threat groups Sophos identified as being part of the campaign are nicknamed Alpha, Bravo, and Charlie. Sophos isn’t sure if they are all government-run groups or include private hackers. Each group seemed to specialize: Alpha focused on initial access and persistence, while Charlie specialized in finding documents.

Sophos says the groups’ activity, which it believes was overseen by China’s Ministry of State Security, stopped in August of that year.

But the updated report says not only has the activity resumed, using a previously undocumented keylogger, the attacks have spread, including hitting two non-governmental public service organizations with what Sophos says have government-related roles, as well as other targets in Southeast Asia.

“It’s unlikely this threat group is only pursing the victims we’ve seen,” Chester Wisniewski, Sophos’ global field CTO, said in an interview. “We’ve only got visibility into certain organizations because they’re our clients, so we’re hoping by sharing this information, our competitors that may be protecting similar entities in the region can use the information we have to perhaps identify more activity and maybe add their information to paint a more complete picture.”

“We are seeing highly coordinated activity between multiple groups, with bespoke malware being developed on the fly,” he added. When those tools are detected, the threat actors temporarily shift to open source tools, “put the hammer down and really go at it, and then before you know it they’re back with new, not-seen-before malware again.”

‘Wily’ attackers

The open source tools include Cobalt Strike (for command and control, aka C2), SharpHound (for reconnaissance), Impacket (for lateral movement), Donut (a shellcode loader). Cloudflared tunnel (also for C2 work), RealBlindingEDR (for killing endpoint detection and response solutions), and more.

A compromised unnamed telecom provider was also used.

Wisniewski described the attackers as “sophisticated and wily” and spoke of the “relentlessness” of their efforts.

Asked what CISOs and infosec leaders in Southeast Asia need to be doing, Wisniewski said, “the speed at which these groups are able to operate and how they are able to shift gears means you really need to have a 24 by 7 monitoring operation these days.

”You need to make sure you’re actively threat hunting for this type of activity and understand your network may be abused as part of a supply chain [attack].”

Among the intelligence being sought in this campaign, he said, are documents about the ongoing conflict in the South China Sea between China and Taiwan, the Philippines, Malaysia and Brunei. This dispute has also drawn the attention of the US.

New techniques

The researchers suspect one new technique discovered is using trial versions of Sophos EDR software to look as though attack or test servers were in Europe and the US.

Another tactic is installing Trend Micro’s Platinum Watch Dog, a utility that detects if a Trend Micro agent is running on a server, as part of an attack.

Other new tactics seen include the use the of one organization’s IT servers as a command and control replay point and a staging ground for attack tools, and the staging of malware on another organization’s compromised Microsoft Exchange server.

Another alarming finding: In one case, the threat actor was able to create a new user machine authentication key, suggesting the attackers attempted authentication of a remote desktop protocol session from a device outside the targeted organization’s IT environment.

As noted in Sophos’ first report on Crimson Palace, the threat actors rely heavily on DLL sideloading, using a malicious Windows dynamic link library with function names matching those used by legitimate, signed Windows executables, and placing them in a directory where they would be found and loaded by those executables.

Recent attacks

Among the more recent efforts:

• in April, the attackers injected a new keylogger researchers dub TattleTale, which can collect data from Edge and Chrome browsers;
• in June, the attackers installed the Cloudflared tunnel client after disabling telemetry on the computer so deployment of the tunnel wasn’t detected. It went unreported until incident response re-activated endpoint protection later that month.

Western countries have been warning for years of China’s cyber espionage threats. In May, US and UK officials issued cautions at a British security conference.

“Russia and Iran pose immediate threats, but China is the ‘epoch-defining’ challenge,” Reuters quoted Anne Keast-Butler, director of Britain’s Government Communications Headquarters (GCHQ) electronic spy agency, as saying.

And Harry Coker, US National Cyber Director, was quoted as telling the conference that Chinese military hackers were circumventing US defenses in cyberspace and targeting US interests at an “unprecedented scale.”

In another China-based attack, in February, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a detailed report on a campaign by a group dubbed Volt Typhoon (also known by other researchers as UNC3236, Bronze Silhouette, and other nicknames) to infiltrate critical infrastructure in a number of countries. This campaign isn’t espionage, the report said, but an effort to plant malware in sensitive utilities for possible future network disruption.