Chinese Tag Team APTs Keep Stealing Asian Gov't Secrets

A trio of threat clusters working in service of the People's Republic of China (PRC) have compromised at least a dozen new targets, including one Southeast Asian government organization.

Operation Crimson Palace has been around since March 2023, but been particularly active in 2024, as the threat actors fight against cybersecurity analysts to stay alive. In fact, despite being outed and actively hunted, Crimson Palace's three arms have managed to continue breaching public and private organizations in Asia, and stealing potentially sensitive strategic data and materials from what Sophos described in a new report as "a prominent agency within the government of a Southeast Asian nation."

The Ocean's 11 of the Cyber-Threat World

Every heist movie has a team, where each team member has a unique specialty. You've got your getaway driver, your hacker or safecracker, the weapons expert, the muscle, the silver-tongued vixen.

Operation Crimson Palace uses this team-based approach for cyber heists. Instead of operating as a monolithic advanced persistent threat (APT), three independent teams — tracked by Sophos as Alpha, Bravo, and Charlie — each have a unique, though partly overlapping role in the wider attack chain. This setup allows each cluster to hyperfocus on specific tasks, and allows different clusters to work on different compromises simultaneously.

Cluster Alpha typically handles initial access: performing network reconnaissance and mapping, moving laterally and establishing persistence in a targeted system, deploying backdoors, interrupting security software, and so on.

Broadly speaking, Cluster Bravo is the infrastructure specialist. It further entrenches and spreads in target networks, prepares the field for malware deployment, and establishes command-and-control (C2) communications channels, often by using one Crimson Palace victim as a relay point through which to attack another. From January to June, Sophos identified a number of organizations — including one government agency — whose infrastructure Bravo borrowed for purposes of malware staging.

"It's obscuring the command-and-control in places where you might already be expecting to see traffic," explains Chester Wisniewski, global field chief technology officer (CTO) at Sophos. "If you see HTTPS traffic directly with one of your primary telecommunications providers — or perhaps with another government agency or business entity in the country that's commonly engaging with people in your environment — it's going to be a lot harder to determine if that's [coming from a malicious] C2, or if it's just normal business operations."

Though Bravo hasn't always featured heavily in Crimson Palace attacks, it has come to life in more recent cases. Sophos newly identified Bravo activity in at least 11 Asian organizations and agencies, including government contractors.

"It's very possible Cluster Alpha [and Bravo] doesn't even know what they're after, other than that this is the target environment that they must keep the door open to, to allow someone else in who's aware of what the goal is," Wisniewski notes.

That someone else is Cluster Charlie.

Cluster Charlie: An Unstoppable Threat

Cluster Charlie is the cleanup hitter, responsible for whatever is necessary to maintain system access and exfiltrate sensitive data. Befitting its role, it appears to be the most active and sophisticated of the three clusters.

Its story took shape following its first run-in with researchers in August 2023. After Sophos blocked its custom C2 tool, PocoProxy, the Charlie cluster went quiet for a few weeks. Then, beginning that September and continuing ever since, it has constantly bounced back with a new tactic, technique, or procedure (TTP) for every one its adversaries have blocked.

In response to having its custom malware blocked, Charlie turned to the open source community, making use of at least 11 tools for C2 (e.g. Cobalt Strike), shellcode loading (e.g. Donut), evasion of EDR software (e.g. RealBindingEDR), and more. "When they had custom C2 access to the environment and we successfully blocked it, they pivoted to some open source tools," Wisniewski recalls. "And then when that didn't work, they came back with new custom tooling."

Charlie's creativity came through the most in its means of malware delivery. In the period between last November and this past May, Charlie deployed C2 implants using no less than 28 unique combinations of sideloading chains, execution methods, and shellcode loaders. On multiple occasions during the month of February, the group even conducted a kind of A/B testing, deploying its malicious files using slightly varying means to test which method would work best.

As Wisniewski warns, "If you have something they want — even if you're successful in figuring out their current approach to how they're attacking the network — they're not going to stop. They will continue to innovate and iterate."