Sophos has released its new report. The report details the latest developments in a two-year-long Chinese cyber espionage campaign in Southeast Asia. Sophos experts first reported in June with a detailed report on their discoveries, describing extensively their findings regarding alleged Chinese state activities within a high-ranking government organization, comprising three separate clusters: Alpha, Bravo, and Charlie. Following a brief pause in August 2023, Sophos X-Ops detected renewed cluster Bravo and cluster Charlie activity, both within the original target organization and across multiple other organizations within the area.
While conducting the new research, experts revealed a novel Keylogger dubbed “Tattletale” by Menace Hunter, which masquerades as a user to log into the system and gather information related to password rules, security settings, compromised passwords, browser data, and backup files. The analysts note in their report that Cluster Charlie is increasingly relying on open supply instruments compared to the initial wave of the operation, opting instead to deploy types of adaptable malware developed for their early activity surge.
We’re engaged in an ongoing game of cat and mouse with these adversaries. During the initial phase of the operation, Cluster Charlie deployed tailored tools and malware to gain a foothold. Notwithstanding, we were able to dismantle a significant portion of their earlier infrastructure, render ineffective their command and management instruments, and force them to pivot. Your shift to open-source tools illustrates how quickly these attacker groups adapt and how relentless they are?
Cluster Charlie, whose tactics, techniques, and procedures (TTPs) align with those of the Chinese threat group Earth Longzhi, initially operated from March to August 2023 actively. The cluster lay dormant for a few weeks, reemerged in September 2023, and has remained active since then until at least May 2024. During the second campaign phase, Cluster Charlie focused on penetrating deeper into the targeted network, evading Endpoint Detection and Response (EDR) functionalities, and gathering additional intelligence. In addition to switching to open-source tools, Cluster Charlie began employing tactics that initially were used by Clusters Alpha and Bravo. This suggests that a unified overarching organization governs all three clusters of activities. Sophos X-Ops has tracked ongoing Cluster Charlie activities at multiple organizations in Southeast Asia, as well.
Cluster Bravo, whose tactics, techniques, and procedures align with those of the Chinese threat group Unfading Sea Haze, originally conflicted in the intended network for a three-week span in March 2023 only. Although the cluster reappeared in January 2024, this time it targeted at least eleven other organizations and agencies in the same area.
We observe not only the refinement and coordination of tactics among all three Crimson Palace clusters but also their intent to expand operations, with the purpose of infiltrating other targets in Southeast Asia. The fact that Chinese national groups share their infrastructure and tools, with both Cluster Bravo and Cluster Charlie moving beyond the original objective, significantly increases the likelihood of campaign progression, according to Jaramillo.
