June 5, 2024 at 04:14PM
Since at least March 2023, Chinese state-sponsored actors have launched the Crimson Palace cyberespionage campaign against a Southeast Asian government agency. The campaign involved new malware variants and three coordinated activity clusters. These clusters, operating during Chinese work hours, engaged in reconnaissance, lateral movement, and persistent access management. Sophos researchers believe the clusters represent distinct actors working toward Chinese state interests. Despite blocking some activities, the adversary has attempted to resume operations. Sophos continues to monitor the situation.
Based on the meeting notes, the key takeaways are:
– Chinese state-sponsored actors, operating under the campaign name Crimson Palace, have been targeting a government agency since at least March 2023 in a cyberespionage campaign.
– The campaign utilized new malware variants and involved three distinct activity clusters, indicating a coordinated attack.
– The clusters, identified by Sophos, are linked to known Chinese threat groups such as “BackdoorDiplomacy,” “REF5961,” “Worok,” “TA428,” and the APT41 subgroup Earth Longzhi. Sophos believes that these clusters operate under a single organization with high confidence.
– The activity clusters operated during Chinese work hours, with little to no overlap, suggesting a high level of coordination.
– Sophos observed spikes in malicious activity, such as on a holiday in the target country, likely aimed at catching defenders understaffed and carrying out activity when systems were less monitored.
– Although the initial access could not be determined, the threat actor had access to the network since at least March 2022, indicated by detection of the Nupakage malware, typically used for data exfiltration.
– While Sophos blocked some of the threat actor’s C2 implants and observed a period of inactivity in Cluster Alpha, Cluster Charlie activity resumed after a few weeks of silence, suggesting the adversary’s attempt to breach the network at a higher tempo and in a more evasive manner.
– Sophos continues to monitor the intrusion activity in the target network.