Asean
Credit: ASEAN Secretariat / Kusuma Pandu Wijaya

Chinese ‘Crimson Palace’ espionage campaign keeps hacking Southeast Asian governments

A high-stakes cat and mouse game between defenders and a sophisticated trio of Chinese cyberespionage groups has continued this year, with the hackers launching a string of attacks on government organizations in Southeast Asia despite attempts to disrupt their activity.

Researchers at Sophos published on Tuesday its second report covering what they call Crimson Palace — a Southeast Asia-based espionage campaign run by Chinese state-backed hackers. 

Sophos examined activities last year by the three groups carrying out the campaign but after a brief hiatus researchers saw renewed activity from two of them in the fall of 2023 and throughout this year. 

“We’ve been in an ongoing chess match with these adversaries,” said Paul Jaramillo, director of threat hunting and threat intelligence at Sophos. 

The three groups — which Sophos calls Cluster Alpha, Cluster Bravo and Cluster Charlie — each have ties to Chinese state-backed groups previously identified by other companies and governments, including APT15 and a subgroup of APT41 known by some researchers as “Earth Longzhi.”

The groups are still launching attacks and are now expanding their operations, attempting to infiltrate other organizations across Southeast Asia. 

“Given how frequently Chinese nation-state groups share infrastructure and tools, and the fact that Cluster Bravo and Cluster Charlie are moving beyond the original target, we will likely continue to see this campaign evolve — and in potentially new locations,” Jaramillo said.

The report follows up on one released in June about attacks on an unnamed government organization. Even after Sophos incident responders identified the groups and disrupted their operation, the activity continued and expanded to “numerous” other organizations in the region, according to Sophos. 

After having many of their custom tools identified and blocked by Sophos, the groups switched to more open-source tools illustrating “how quickly these attacker groups can adapt and remain persistent,” Jaramillo added.

They were also observed using a malware researchers named “Tattletale” — a novel tool used to “impersonate users who have signed into the system and gather information related to password policies, security settings, cached passwords, browser information, and storage data.”

Cluster Charlie was initially seen attacking a “high-level” government organization in an unnamed Southeast Asian nation from March to August 2023 but went dormant for several weeks before reemerging briefly in September and again in May 2024. 

The goal of the Crimson Palace campaign is still the exfiltration of data and intelligence but the hackers also have sought to to repeatedly regain access to victim networks. 

They stole sensitive documents, keys for cloud infrastructure — including disaster recovery and backups — other critical authentication keys and certificates, and configuration data for IT and network infrastructure, according to Sophos. 

The attackers focused their efforts on gaining deeper access to an organization’s network, evading security tools and gathering more information. Cluster Charlie adopted several tactics Sophos attributed to the other groups, lending credibility to their previous assessment that they are operating under one overarching organization. 

They discovered attacks by the groups on at least 11 other unnamed organizations and agencies in the same region, including two non-governmental public service organizations. The attackers also used their compromise of organizations to deliver malware and tools to others “under the guise of a trusted access point.”

“The threat actors were precise in how they leveraged these compromised environments for hosting, making sure to always use an infected organization within the same vertical for their attacks,” the researchers said, noting that the attacks ran from January to June 2024. 

“The affected organizations represent a broad swath of the targeted government’s critical functions.”

Chinese hackers have maintained an extensive web of cyberespionage campaigns targeting governments across Southeast Asia as diplomatic fights over territory in the South China Sea have become more heated in recent years.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.