Sophos: Operation Crimson Palace, Chinese State-Sponsored Espionage, Expands in Southeast Asia 

Sophos banner

Contents (maximize to view)

Sophos has reported on the latest developments in a two-year Chinese cyberespionage campaign in Southeast Asia. The campaign, known as Operation Crimson Palace, involved the discovery of three Chinese nation-state activity clusters.

Sophos Report

Sophos X-Ops discovered a new keylogger called “Tattletale” that can impersonate users and gather information on password policies, security settings, cached passwords, browser information, and storage data. Cluster Charlie has switched to using open-source tools instead of custom malware in its initial wave of activity.

“We’ve been in an ongoing chess match with these adversaries. During the initial phases of the operation, Cluster Charlie was deploying various bespoke tools and malware. However, we were able to ‘burn’ much of their previous infrastructure, blocking their Command and Control (C2) tools and forcing them to pivot. This is good; however, their switch to open-source tools demonstrates just how quickly these attacker groups can adapt and remain persistent. It also appears to be an emerging trend among Chinese nation-state groups. As the security community works to secure our most sensitive systems from these attackers, it’s important to share insights into this pivot.” 

Paul Jaramillo, Sophos Director of threat hunting and threat intelligence

Sophos banner

Cluster Charlie, a Chinese threat group, was active in Southeast Asia from March to August 2023. It re-emerged in September 2023 and continued until May 2024. It focused on deeper penetration, evading endpoint detection and response tools, and gathering intelligence. It switched to open-source tools and used tactics from Cluster Alpha and Cluster Bravo, suggesting the same organization directed all three activity clusters.

Cluster Bravo, also with TTPs from Unfading Sea Haze, was active for three weeks but reappeared in January 2024, targeting at least 11 other organizations in the same region.

For more information, visit Sophos’ website.

Featured image

Migs Palispis

Started his freelancing adventure in 2018 and began doing freelance Audio Engineering work and then started freelance writing a few years later.

Currently he writes for Gadget Pilipinas and Grit.PH.

He is also a musician, foody, gamer, and PC enthusiast.

Leave a Reply

Gadget Pilipinas | Tech News, Reviews, Benchmarks and Build Guides
Logo
Compare items
  • Total (0)
Compare
0