Threat actors with ties to Chinese state interests have reportedly been targeting a high-profile government organization in Southeast Asia since March 2022, as revealed by a recent study conducted by Sophos.
The Chinese espionage threat, known as “Crimson Palace,” was first detected in May 2023 by Mark Parsons, a member of Sophos MDR. Parsons came across what he described as a “sophisticated, long-standing Chinese state-sponsored cyberespionage operation” during a search through Sophos Managed Detection and Response telemetry. The threat actors appear to still be active and operational.
The investigation into the Crimson Palace threat was initiated following the discovery of a DLL sideloading technique that exploited VMNat.exe, a component of VMware. The researchers at Sophos noted in a report released today that they found at least three separate clusters of intrusion activity between March 2023 and December 2023. This discovery also led to the identification of previously unreported malware associated with the threat clusters, as well as an enhanced version of the EAGERBEE malware. The clusters, labeled Cluster Alpha (STAC1248), Cluster Bravo (STAC1807), and Cluster Charlie (STAC1305), were closely monitored by Sophos.
Despite limited visibility into the targeted network due to extensive deployment of Sophos endpoint protection within the organization, further investigations revealed evidence of past intrusion activity dating back to early 2022. This indicated that the threat actors had likely maintained access to unmanaged assets within the network for an extended period.
The Crimson Palace clusters were found to be utilizing tools and infrastructure associated with various Chinese threat actors, including BackdoorDiplomacy, REF5961, Worok, TA428, Unfading Sea Haze, and the APT41 subgroup Earth Longzhi. The actors were observed attempting to retrieve intelligence-related documents, particularly military strategies in the South China Sea, indicating their focus on gathering information of strategic importance.
While the individual clusters displayed distinct behaviors, there were overlaps in their operations and compromised infrastructure, suggesting a certain level of coordination or awareness between the actors involved. Cluster Bravo was relatively short-lived, operating only in March 2023, while Cluster Alpha ceased communication in August 2023. However, Cluster Charlie remained active at least until April 2024, with the threat actors demonstrating a resurgence in activity after a period of dormancy.
The researchers documented the different patterns of behavior and overlaps between the clusters in a Venn diagram, highlighting the similarities and differences among them. Additionally, they identified novel malware variants, such as CCoreDoor, PocoProxy, and an updated version of EAGERBEE, along with extensive use of DLL sideloading techniques and various evasion tactics to avoid detection.
Sophos credited the work of ten researchers for their thorough investigation of the threat, acknowledging their efforts in uncovering the tactics and tools employed by the Chinese espionage threat actors. The team’s findings shed light on the evolving nature of cyber threats and the persistent efforts of state-sponsored actors to infiltrate critical networks for intelligence gathering purposes.