A closely watched Chinese government-backed cyber espionage campaign has been found targeting a prominent Southeast Asian government agency, new findings out Tuesday reveal.
The Crimson Palace campaign, tracked by Sophos researchers, details newer and more sophisticated cyberattacks targeting government organizations, non-governmental entities and public service networks in the region.
According to the analysis, the attackers stole sensitive documents, keys for cloud systems—including those for disaster recovery and backups—as well as essential authentication keys, certificates and configuration data for IT and network infrastructure.
The Sophos Managed Detection and Response team discovered the campaign’s expansion after detecting renewed activity following a brief period of dormancy in mid-2023. Although the operation appeared to cease in August of 2023, one attack vector dubbed Cluster Charlie resumed its malicious activity several weeks later, signaling the start of a second phase of the campaign.
Two other clusters, named Alpha and Bravo, have also reemerged with new tactics. In this latest phase, the trio has been introducing previously undocumented malware tools and expanding their reach across the region. One discovery is the deployment of a new keylogger, dubbed “TattleTale,” designed to steal sensitive information, such as credentials and system data, by covertly collecting and cataloging a user’s keystrokes on their computer.
The Beijing-backed hackers exploited compromised networks to stage malware, using infected organizations as control hubs. In one case, the cyber operatives exploited a compromised Microsoft Exchange server to launch additional malware attacks, creating footholds across various organizations.
After Sophos identified and shut down the custom tooling used by the groups, researchers observed them making use of more off-the-shelf open-source tools. One notable example is the Havoc command and control (C2) framework, which allows hackers to control computers they have previously gained access to during security tests. Havoc C2 was designed primarily for ethical hackers to test the cybersecurity defenses of systems.
In another instance, the hackers used SharpHound, an open-source library that allows cybersecurity researchers to map intrusion paths and identify vulnerabilities in systems.
“This activity demonstrates a continued interest by the actors behind Cluster Charlie in mapping the environment’s infrastructure topography from multiple perspectives,” the report stated. “The use of SharpHound would provide additional knowledge about the organization’s topology, including details of the permissions within the domain assigned to these mapped users.”
The findings follow earlier Sophos research disclosed in June about similar espionage activity by Crimson Palace. At that time, the company reported that sensitive military intelligence related to the South China Sea had been stolen by the Chinese hackers.
The targeted governmental organizations remain unnamed in the Sophos findings. However, the hackers’ focus on key government entities in Southeast Asia highlights their intent to gather intelligence and exert influence in the region. The South China Sea remains a contentious flashpoint for territorial disputes in Asia, particularly between China and Taiwan, which has intensified hacking and espionage efforts between the two nations.
Chinese government-aligned cyber collectives are showing increased interest in targeting entities in the Asia-Pacific region, experts said in June. That same month, cybersecurity firm Record Future identified China-backed hackers targeting various Taiwanese organizations, including the education and government sectors.
Beijing has consistently denied involvement in or support for hacking activities, arguing that it’s a victim of cyberattacks. The Chinese government insists that research findings linking hacker collectives to its central government are fraudulent.
Related article: The I-Soon data leak, Chinese APTs, and implications for Southeast Asia
On February 16, an unidentified individual uploaded data onto GitHub—a platform favored by software engineers—claiming that I-Soon, also known as Anxun in Mandarin, a Chinese IT security services firm, operates as an independent hacking contractor. The firm was accused of developing malicious software and conducting cyber espionage activities on behalf of the Chinese government.
Wu Haibo, the CEO of I-Soon and a renowned hacker recognized by the alias “Shutd0wn,” was previously a member of the “Green Army,” the first hacktivist group in China, established in 1997. Founded in Shanghai in 2010, I-Soon has since broadened its reach, establishing several subsidiaries throughout China. According to the Associated Press, conversations with two I-Soon employees revealed that Chinese officials are investigating the origins of the leaked files. Although the source of the leaks remains unknown, numerous cybersecurity experts deem the disclosed information to be credible.
Taiwanese security analyst @azakasekai_ first brought the I-Soon data leak to public attention and uncovered lists of victims that detail the scope of the data theft. The alleged victims span a range of sectors including government, telecommunications, healthcare, aviation, and academia across various countries. These countries include Afghanistan, Cambodia, Hong Kong, India, Indonesia, Kazakhstan, Kyrgyzstan, Malaysia, Mongolia, Myanmar, Nepal, Pakistan, Philippines, South Korea, Thailand, Turkey, Vietnam, Egypt, Nigeria, Rwanda, France, among others. READ MORE
