A recent cybersecurity analysis has revealed that three China-linked threat clusters have been actively targeting government organizations in Southeast Asia, as part of a state-sponsored espionage campaign dubbed Crimson Palace. This operation, which marks a significant expansion in the scope of China’s cyber espionage efforts, has been monitored by Sophos researchers, who identified three key clusters involved: Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305).
According to Sophos researchers Mark Parsons, Morgan Demboski, and Sean Gallagher, the attackers use compromised organizational and public service networks in the region as command-and-control (C2) relay points. One such attack leveraged a compromised Microsoft Exchange Server to host malware.
Cybercriminals linked to China continue to expand their attacks on government institutions in Southeast Asia as part of a new wave of espionage activity, codenamed Crimson Palacehttps://t.co/r9HNnqef9G
— Gray Hats (@the_yellow_fall) September 12, 2024
The attacks, which took place from March 2023 to April 2024, show Cluster Bravo, linked to Unfading Sea Haze, launching a new wave of attacks targeting 11 other organizations between January and June 2024. Meanwhile, Cluster Charlie (Earth Longzhi) deployed sophisticated C2 frameworks like Cobalt Strike and Havoc, using them to bypass EDR software and exfiltrate intelligence.
A notable tactic involves the use of DLL hijacking by Cluster Charlie, which aligns with techniques used by Cluster Alpha, suggesting a cross-pollination of strategies among the groups. Additionally, they employ open-source tools such as RealBlindingEDR and Alcatraz to evade detection, while deploying a newly identified keylogger called TattleTale to collect sensitive data from Google Chrome and Microsoft Edge browsers.
The coordinated efforts of these clusters focus on distinct tasks: infiltrating target environments (Alpha), deepening network penetration (Bravo), and data exfiltration (Charlie). Throughout their campaign, the attackers continuously adapt their tools and techniques to evade countermeasures, blending custom-developed malware with legitimate penetration testing tools to optimize their attacks.
Staying vigilant and reinforcing cybersecurity defenses is essential to countering such sophisticated state-sponsored cyber threats.
Sandhya Goswami
Sandhya is a contributing author at Cloudways, specializing in content promotion and performance analysis. With a strong analytical approach and a keen ability to leverage data-driven insights, Sandhya excels in measuring the success of organic marketing initiatives.
