June 5, 2024 at 07:54AM
A high-profile government organization in Southeast Asia became the target of a lengthy Chinese state-sponsored cyber espionage campaign named Crimson Palace. The operation aimed to maintain network access for espionage, focusing on accessing critical systems, gathering sensitive information, and deploying various malware. The attackers utilized an array of tools and evasion techniques. This follows similar cyber attacks by Chinese state-backed groups in Italy and Canada.
From the meeting notes:
– An unnamed high-profile government organization in Southeast Asia was targeted by a “complex, long-running” Chinese state-sponsored cyber espionage operation named Crimson Palace.
– Sophos researchers reported that the campaign aimed to maintain access for cyberespionage in support of Chinese state interests, accessing critical IT systems, collecting sensitive military and technical information, and deploying malware implants.
– The government organization was not disclosed, but it is known to have conflicts with China in the South China Sea, possibly the Philippines.
– Crimson Palace comprises three intrusion clusters, showing evidence of older activity dating back to March 2022, likely part of a coordinated campaign under the direction of a single organization.
– The attack used previously undocumented malware like PocoProxy and an updated version of EAGERBEE, as well as known malware families like NUPAKAGE and EtherealGh0st.
– The attackers used novel evasion techniques to avoid detection, including overwriting DLL in memory, abusing AV software for sideloading, and testing efficient and evasive methods to execute their payloads.
– The observed clusters reflect the operations of two or more distinct actors working in tandem with shared objectives, indicating the work of a single group with a large array of tools, diverse infrastructure, and multiple operators.
– Yoroi detailed attacks by the APT41 actor using a variant of the PlugX malware known as KEYPLUG targeting organizations in Italy, with variants for both Windows and Linux platforms. Additionally, the cybersecurity firm warned of increasing attacks from Chinese state-backed hacking targeting government, critical infrastructure, and research and development sectors.
The meeting notes provide an overview of the cyber espionage operation, highlighting the tactics, targets, and findings of the Sophos researchers. The information sheds light on the extensive and coordinated nature of the attack, as well as the evolving strategies and tools employed by state-sponsored threat actors.