Sophos experts have uncovered a Chinese espionage campaign in Southeast Asia. Sophos X-Ops finds links between five known Chinese threat groups, including APT41 and BackdoorDiplomacy; attackers are using two previously unknown malware variants for espionage and persistence.
The report, "Operation Crimson Palace: Sophos Threat Hunting Unveils Multiple Clusters of Chinese State-Sponsored Activity Targeting Southeast Asia," is packed with facts. It documents in detail a sophisticated, nearly two-year espionage campaign against a high-value government target.
Chinese espionage campaign has been running for two years
As part of the Sophos X-Ops investigation launched in 2023, the Managed Detection and Response (MDR) team found three distinct clusters of activity targeting the same organization, two of which involved tactics, techniques, and procedures (TTP) that overlap with known Chinese nation-state groups: BackdoorDiplomacy, APT15, and the APT41 subgroup Earth Longzhi.
The attackers designed their operation to spy on specific users and collect sensitive political, economic and military information. During the campaign, they used a variety of different malware and tools that Sophos calls "Crimson Palace." These include two previously unknown malware strains: a backdoor and a persistence tool, which Sophos called "CCoreDoor" and "PocoProxy" respectively.
Various Chinese attackers – a common infrastructure
"The various clusters appear to have worked in the interests of Chinese state interestsby gathering military and economic intelligence to support the country's strategies in the South China Sea," said Paul Jaramillo, Director of Threat Hunting & Threat Intelligence at Sophos. "In this particular campaign, we believe the three clusters operated in parallel against the same target under the direction of a central government agency.
Within one of the three clusters we identified - Cluster Alpha - we saw overlap between malware and TTPs with four separately reported Chinese threat groups. Chinese attackers are known to share infrastructure and tools, and this latest campaign is a cautionary tale of how extensively these groups share their tools and techniques."
Making defense measures more intelligent
Jaramillo continued: “While Western governments Raise awareness of cyber threats from China, the overlap uncovered by Sophos is an important reminder that focusing too much on a single Chinese actor can put organizations at risk of missing trends in the way these groups coordinate their operations. By looking beyond the box, organizations can be smarter about their defenses."
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.