Chinese hacking groups stole ‘sensitive’ intel on South China Sea from SE Asian government

Chinese nation-state hackers spent nearly two years targeting a high-level Southeast Asian government department in search of information about the country’s strategy concerning the hotly contested South China Sea.

Researchers from cybersecurity firm Sophos said a 2023 investigation led them to discover three different clusters of hacker activity focused on the same unnamed government organization. 

They initially found a data exfiltration tool used as far back as December 2022 that was previously attributed to the Chinese threat group Mustang Panda but subsequently found multiple clusters of activity that worked in tandem to steal data, acquire credentials allowing for deeper access and more. 

Two of the clusters matched tactics and techniques used by the well-known Chinese nation-state group APT15 and a subgroup of APT41 known by some researchers as “Earth Longzhi.”

“The different clusters appear to have been working in support of Chinese state interests by gathering military and economic intelligence related to the country’s strategies in the South China Sea,” said Paul Jaramillo, director of threat hunting and threat intelligence at Sophos. 

“In this particular campaign, we believe these three clusters represent distinct groups of attacks who are working in parallel against the same target under the overarching directive of a central state authority.” 

The goal of the campaign — which the researchers named “Crimson Palace” — was reconnaissance and the exfiltration of documents containing “sensitive political, economic, and military information.”

“What we’ve seen with this campaign is the aggressive development of cyberespionage operations in the South China Sea. We have multiple threat groups, likely with unlimited resources, targeting the same high-level government organization for weeks or months at a time, and they are using advanced custom malware intertwined with publicly available tools,” Jaramillo said. 

“They were, and are still, able to move throughout an organization at will, rotating their tools on a frequent basis. At least one of the activity clusters is still very much active and attempting to conduct further surveillance.”

The researchers found evidence that the groups were using the victim’s network as a sort of “playground” to test different techniques in disabling anti-virus protections or map infrastructure and administrative accounts. Some of the tools used by the attackers had connections to hosts running at other government organizations in the same country that may have also been compromised. 

“Furthermore, the target network is a high-profile government organization in a Southeast Asian country known to have repeated conflict with China over territory in the South China Sea,” the researchers said.  

Some of the observed malware strains were previously discovered by other cybersecurity companies, including one hired to provide cybersecurity protection to the foreign affairs ministry of a Southeast Asian country.

The South China Sea continues to be one of the most disputed areas in Asia due to China’s repeated encroachments on territorial claims made by Vietnam, the Philippines, Malaysia, Indonesia and Taiwan. 

China has issued an order, slated to take effect on June 15, that would see its coast guard arrest fishermen if they are caught in waters claimed by Beijing. Philippine President Ferdinand Marcos Jr. called it an “escalation” in comments last week.

Researchers at Bitdefender reported last week that at least eight government and military entities in the South China Sea have been compromised in recent years by a group allegedly aligned with Chinese interests.