Sophos exposes Chinese espionage campaign in Southeast Asia

Sophos, a global cybersecurity leader, has uncovered a sophisticated, nearly two-year-long espionage campaign targeting a high-level government entity in Southeast Asia.

The campaign, which began in 2023, involved multiple Chinese state-sponsored threat groups and used novel malware to infiltrate and exfiltrate sensitive information, according to a new report titled “Operation Crimson Palace: Threat Hunting Unveils Multiple Clusters of Chinese State-Sponsored Activity Targeting Southeast Asia.”

The investigation by Sophos X-Ops revealed three distinct clusters of cyber activity within the targeted organization’s network.

These clusters, identified as Cluster Alpha, Cluster Bravo, and Cluster Charlie, displayed tactics, techniques, and procedures (TTPs) consistent with those used by known Chinese nation-state groups such as BackdoorDiplomacy, APT15, and the APT41 subgroup Earth Longzhi. Sophos has since dubbed the overall operation “Crimson Palace.”

“The attackers designed their operation to gather reconnaissance on specific users as well as sensitive political, economic, and military information, using a wide variety of malware and tools throughout the campaign,” said Paul Jaramillo, director of threat hunting and threat intelligence at Sophos.

Among the tools used was a previously unseen piece of malware, named PocoProxy by Sophos, which was utilized for persistence within the network.

Sophos believes that these clusters were working in parallel under the directive of a central state authority, all focusing on the same target.

“It’s well-known that Chinese attackers share infrastructure and tooling, and this recent campaign is a reminder of just how extensively these groups share their tools and techniques,” Jaramillo noted.

The cyber espionage operation appears to have been aimed at gathering military and economic intelligence related to China’s strategic interests in the South China Sea.

Notably, Cluster Alpha, active from March to August 2023, utilized upgraded malware associated with Chinese threat group REF5961 and demonstrated overlap with TTPs used by BackdoorDiplomacy, APT15, and others.

Cluster Bravo, which was active for only three weeks in March 2023, focused on lateral movement within the network and employed a backdoor named CCoreDoor to establish external communications and exfiltrate credentials.

Meanwhile, Cluster Charlie remained active from March 2023 through at least April 2024, deploying PocoProxy to maintain persistence and exfiltrate sensitive data, including military and political documents.

“What we’ve seen with this campaign is the aggressive development of cyber espionage operations in the South China Sea,” said Jaramillo. “These groups, likely with unlimited resources, are using advanced custom malware intertwined with publicly available tools, rotating their methods frequently.”

Sophos’ report serves as a stark reminder of the persistent threat posed by state-sponsored cyber activities.

“As Western governments elevate awareness about cyberthreats from China, the overlap Sophos has uncovered is an important reminder that focusing too much on any single Chinese attribution may put organizations at risk of missing trends about how these groups coordinate their operations,” Jaramillo warned.

The findings from this investigation underscore the importance of comprehensive threat intelligence in defending against complex cyber threats. As one of the clusters remains active, Sophos continues to monitor the situation and share updates with the global intelligence community.

For a detailed technical deep dive into this espionage campaign, visit Sophos.com to read the full “Operation Crimson Palace” report.

Read more about this espionage campaign in “Operation Crimson Palace: Threat Hunting Unveils Multiple Clusters of Chinese State-Sponsored Activity Targeting Southeast Asia” on Sophos.com.

Learn more about the three activity clusters in “Operation Crimson Palace: A Technical Deep Dive” on Sophos.com.