Sophos, a global leader in cybersecurity, has uncovered new developments in Operation Crimson Palace. This a Chinese state-sponsored cyberespionage campaign targeting Southeast Asia. Detailed in the report, “Crimson Palace: New Tools, Tactics, Targets,” Sophos X-Ops reveals how Chinese nation-state groups are evolving their strategies. Shifting from custom malware to open-source tools to evade detection and continue their attacks.
In June Sophos X-Ops discovered three separate clusters of Chinese nation-state activity. Cluster Alpha, Cluster Bravo and Cluster Charlie, inside a high-profile government organization.
During recent investigations, Sophos X-Ops discovered a novel keylogger named “Tattletale,” designed to impersonate system users and gather sensitive information. Including password policies, security settings, and browser data. The report indicates that after a brief pause in August 2023, Chinese threat groups, identified as Cluster Bravo and Cluster Charlie, resumed activities targeting high-profile government organizations and expanded their reach to new victims across the region.
Operation Crimson Palace
Unlike the initial phase of Operation Crimson Palace. Where attackers deployed bespoke malware, recent findings show Cluster Charlie increasingly using open-source tools. Highlighting a broader trend among Chinese nation-state groups. “We’ve seen how quickly these adversaries adapt,” said Paul Jaramillo, Director of Threat Hunting and Threat Intelligence at Sophos. “Their pivot to open-source tools underscores their persistence and the ongoing threat they pose to sensitive systems.”
Cluster Charlie, which shares tactics, techniques and procedures [TTPs] with the Chinese threat group Earth Longzhi, was originally active from March to August 2023 in a high-level government organization in Southeast Asia. While the cluster was dormant for several weeks. It re-emerged in September 2023 and was active again until at least May 2024.
Cluster Charlie Evades Endpoint Detection and Response
During this second stage of the campaign, Cluster Charlie focused on penetrating deeper into the network. Evading endpoint detection and response [EDR] tools and gathering further intelligence. In addition to switching to open-source tools. Cluster Charlie also began using tactics initially deployed by Cluster Alpha and Cluster Bravo. This suggests that the same overarching organization is directing all three activity clusters. Sophos X-Ops has tracked ongoing Cluster Charlie activity across multiple other organizations in Southeast Asia.
Cluster Bravo, which shares TTPs with the Chinese threat group Unfading Sea Haze. Was originally only active in the targeted network for three weeks in March 2023. However, the cluster reappeared in January 2024. Only this time it was targeting at least 11 other organizations and agencies in the same region.
Read About How Sophos Uncovered Chinese Espionage Campaign in Southeast Asia
“Not only are we seeing all three of the ‘Crimson Palace’ clusters refine and coordinate their tactics. They’re also expanding their operations, attempting to infiltrate other targets in Southeast Asia. Given how frequently Chinese nation-state groups share infrastructure and tools, and the fact that Cluster Bravo and Cluster Charlie are moving beyond the original target, we will likely continue to see this campaign evolve—and in potentially new locations. We will be monitoring it closely,” said Jaramillo.
Sophos will continue to monitor these activities closely and provide insights into the evolving tactics of Operation Crimson Palace. To learn more, read the full report, “Crimson Palace: New Tools, Tactics, Targets,” available at Sophos.com.
Intrigue of the Hunt Webinar
To learn more, read “Crimson Palace: New Tools, Tactics, Targets” on Sophos.com. For details about Sophos’ threat hunting and other services for disrupting cyberattacks, go to Sophos Managed Detection and Response [MDR].
For an in-depth look at the threat hunting behind this nearly two-year long cyber espionage campaign, register for the upcoming webinar “Intrigue of the Hunt: Operation Crimson Palace: Unveiling a Multi-Headed State-Sponsored Campaign” on Sept. 24 at 2 PM ET: https://events.sophos.com/operation-crimson-palace/.