By Mark Parsons, Threat Hunter, Morgan Demboski, Threat Intelligence Analyst and Sean Gallagher, Principal Threat Researcher
After a brief break in activity, Sophos X-Ops continues to observe and respond to what we assess with high confidence as a Chinese state-directed cyberespionage operation targeting a prominent agency within the government of a Southeast Asian nation.
In the process of investigating that activity, which we track as Operation Crimson Palace, Sophos Managed Detection and Response (MDR) found telemetry indicating the compromise of additional government organizations in the region, and has detected related activity from these existing threat clusters in other organizations in the same region. The attackers consistently used other compromised organizational and public service networks in that region to deliver malware and tools under the guise of a trusted access point.
Our previous report covered activity from three associated security threat activity clusters (STACs) connected to the cyberespionage activity: Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305), all seen between March and August 2023. All three threat clusters operating inside the estate of the targeted agency went dormant in August 2023.
However, Cluster Charlie resumed activity several weeks later. This activity, which included a previously undocumented keylogger which we have named “TattleTale,” marked the beginning of a second phase and expansion of the intrusion activity throughout the region, which remains ongoing.
Sophos MDR also observed a series of detections that align with the tooling used by Cluster Bravo at entities outside the government agency covered in our initial report, including two non-governmental public service organizations and multiple additional organizations, all based in the same region. Those detections included telemetry that showed the use of one organization’s systems as a C2 relay point and a staging ground for tools, as well as the staging of malware on another organization’s compromised Microsoft Exchange server.
Read more here