Three Things Sophos Has Learned about Chinese State Actors from Their Investigation into Crimson Palace
This past February, the Cybersecurity and Infrastructure Security Agency (CISA) released perhaps its most consequential report of the year: the Chinese state-sponsored threat group, Volt Typhoon, had been making a concerted effort to compromise critical infrastructure throughout the United States. And the threat extends far beyond the U.S. Western intelligence agencies believe the group has compromised thousands of devices worldwide.
While Chinese threat groups have been a major focus of the security community for well over a decade, there has been a renewed surge in public reporting, as organizations and governments grapple with the mounting threat of Chinese cyber actors.
For its part, Sophos has been investigating a case of Chinese cyberespionage in the South China Sea for more than a year. The campaign, which Sophos X-Ops first reported on in June 2024 and named Operation Crimson Palace, involves three separate threat activity clusters (Cluster Alpha, Cluster Bravo, and Cluster Charlie) targeting a high-level government agency in Southeast Asia. While the adversaries, who appear linked to several well-known Chinese nation-state groups, took a brief hiatus from operating within this environment in summer of last year, they’ve since returned with new tools, targets, and tactics, impacting an additional 11 organizations within the region.
Given that Chinese threat groups often share tactics, techniques, and procedures (TTPs) with one another, and given that many of these “frontline” operators often report to the same overarching central authority, operations like Crimson Palace can provide important insights for defenders on safeguarding against state-sponsored adversaries.
Here are three things we’ve learned about Chinese adversaries from our recent research:
1. They’re not just recycling tools. They’re actively coordinating
While differences in tooling and infrastructure support the theory of multiple actors targeting the same organization, there also appears to be a level of coordination amongst the clusters discovered within Operation Crimson Palace. Based on differences in heatmaps of tracked activity, it appeared as if each threat activity cluster has its own “working hours,” with each cluster working around the others’ “schedule.” In addition, each cluster appeared to specialize in a given objective. After the Chinese New Year, Cluster Bravo was often seen as the cluster initially deploying malware within the environment, while Cluster Alpha prioritized the identification of administrative users and Cluster Charlie focused on long-term persistence within the environment and exfiltration.
2. They’re bolstering their resiliency and adaptability with open-source tools
Part of the challenge in ejecting Chinese state actors is their nearly limitless resources—and the adaptability and persistence that benefits from this advantage.
Recommended by LinkedIn
In the case of Operation Crimson Palace, the attackers worked to maintain constant persistence with open-source tools. Once Sophos X-Ops blocked their custom malware, the attackers would regroup and return with open-source tools as a stopgap until the next iterations of their custom malware were operational. In fact, from November to April 2023, the attackers deployed at least 28 different implants over 28 weeks, deploying new implants on a weekly basis in an attempt to evade Sophos X-Ops' newly created detections.
As Chinese adversaries bolster their resiliency, defenders must work to do the same. 24/7 monitoring and response is a critical capability.
3. There’s some new malware in the field
Throughout their investigation, Sophos X-Ops uncovered several novel pieces of malware, which may be deployed in future Chinese threat operations.
Tattletale: This novel keylogger can impersonate users that have signed into the system and then gather information related to passwords, security settings, and browser information.
PocoProxy: This is a persistence tool, masquerading as a harmless text (.txt) file run by a Microsoft executable, that maintains communications with the attackers’ command and control (C2) infrastructure.
LSASS Logon Credential Interceptor: This tool is specially designed to collect login credentials to Microsoft accounts in order to maintain consistent access to the target.
Because of Chinese state actors’ level of sophistication and their extreme persistence, finding and ejecting them from systems often requires hands-on keyboard activity. In the cases of Operation Crimson Palace, our managed detection and response (MDR) team experts were the ones able to discern the pattern behind the various malicious payloads—and then begin the challenging work of creating detections to block them. As critical infrastructure organizations work to safeguard their systems, in-the-field threat hunting has an essential role to play and can often be a vital addition to standard endpoint protection.
To learn more about how Sophos X-Ops MDR experts uncovered this extensive Chinese cyberespionage campaign, be sure to register for the webinar Surfacing a Hyrda: Operation Crimson Palace on Sept. 24 at 1:00 PM CT.
In February, CISA's report revealed the significant threat posed by the Chinese state-sponsored group Volt Typhoon, targeting critical U.S. infrastructure. Western intelligence indicates this threat extends globally, with thousands of compromised devices.
Very informative
10+ Years of Experience as IT Technical Support , Network Support Engineer, IT System Admin, Pre-sales, Project Support
3moI agree
Standards Developer (Specializing in Open Source Software)
3moSophos: You know, possibly better than anyone, how expensive it is to hire qualified vulnerability specialists, pen testers, and competent black hats, why the negative focus/tone on this?
SOC Analyst | Cyber Security Analyst | Incident Response | ITIL | CTI | CTH | LetsDefend SOC Analyst Certified | Google Cyber Security Certified |
3mo🤘🤘🤘