A recent report has revealed that a trio of threat clusters, operating on behalf of the People’s Republic of China (PRC), have successfully compromised over a dozen new targets, highlighting the aggressive cyber tactics employed by these threat actors. According to the report, one of the targets was a government organization in Southeast Asia, further emphasizing the serious nature of these cyber attacks.
Known as “Operation Crimson Palace,” these threat clusters have been active since March 2023, with a significant increase in their activities in 2024. Despite facing aggressive countermeasures from cybersecurity analysts, the threat actors involved in Crimson Palace have managed to evade detection and continue targeting both public and private organizations in Asia. The stolen data includes potentially sensitive strategic information from a prominent government agency in a Southeast Asian nation, as outlined in a recent report by Sophos.
Operation Crimson Palace employs a unique team-based approach to cyber heists, akin to the setup seen in heist movies like “Ocean’s 11.” The three independent teams identified by Sophos, known as Alpha, Bravo, and Charlie, each play a vital role in the attack chain. This approach allows the threat actors to focus on specific tasks, thereby increasing the efficiency and effectiveness of their operations.
Cluster Alpha, for instance, handles the initial access phase by conducting network reconnaissance, establishing persistence in target systems, deploying backdoors, and disrupting security software. Cluster Bravo, on the other hand, specializes in infrastructure tasks such as preparing networks for malware deployment and establishing command-and-control communications channels. Notably, Bravo has borrowed infrastructure from various organizations, including government agencies, for staging malware.
The most sophisticated of the three clusters, Cluster Charlie, is responsible for maintaining system access and exfiltrating sensitive data. This cluster has demonstrated resilience and adaptability to countermeasures. After having its custom C2 tool blocked by Sophos, Charlie quickly pivoted to utilizing open-source tools and developing new custom malware to evade detection. This creativity is further highlighted by the multiple combinations of sideloading chains, execution methods, and shellcode loaders used by Charlie for malware delivery.
As cybersecurity experts warn, threat actors like those behind Operation Crimson Palace are relentless in their pursuit of valuable information. Even when faced with obstacles, they will continue to innovate and adapt their tactics to achieve their objectives. This ongoing threat underscores the importance of robust cybersecurity measures and constant vigilance in the face of evolving cyber threats.