Summary:
A cyberespionage campaign recently targeted a government agency that frequently clashes with China over the South China sea. This campaign used previously undetected backdoors and had links to known Chinese state threat actors. Researchers at Sophos Managed Detection and Response uncovered this complex operation, named "Crimson Palace," and attributed it with high confidence to Chinese state-sponsored hacking clusters. The hackers aimed to gather intelligence from military documents related to South China Sea strategies.

Sophos first detected the activity in May 2023, with evidence of earlier intrusions from the previous year. The operation involved three clusters of activity, named Alpha, Bravo, and Charlie, which appeared to coordinate their schedules. These clusters are believed to be separate actors working under a central authority with similar objectives. The activity matched typical Chinese working hours, and the campaign targeted documents valuable to Chinese state interests.

Key technical details include the involvement of various clusters of activity. Cluster Alpha overlapped with known threat actors like BackdoorDiplomacy and TA428. Cluster Bravo used a previously unknown backdoor named "CCoreDoor" and did not overlap with any known threat actors. Cluster Charlie was linked to Earth Longzhi, a subgroup of APT41, and used an unknown backdoor called "PocoProxy."


Security Officer Comments:
Sophos blocked the last known implants in August, but Cluster Charlie resumed activity with more evasive techniques. Rather than leaving implants on the network, cluster hackers used a different instance of a web shell to re-penetrate the network and began to shift among different command-and-control channels as well as methods of deploying implants. This discovery by Sophos highlights China's ongoing cyberespionage efforts to assert its territorial claims in the South China Sea, contested by several neighboring countries.


Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://www.databreachtoday.com/chinese-south-china-sea-cyberespionage-campaign-unearthed-a-25411