Operation Crimson Palace: Chinese Threat Clusters Target High-Profile Southeast Asia Government Organisation
Over the past year, a coordinated cyberattack known as “Operation Crimson Palace” saw three Chinese state-aligned threat clusters working together to steal sensitive military and political secrets from a prominent government organisation in Southeast Asia. A recent report by Sophos has shed light on the sophistication and coordination involved in this operation, underscoring the growing threat of state-sponsored cyber espionage.
Unveiling Operation Crimson Palace
According to the Sophos report, Operation Crimson Palace was marked by the use of new malware tools, over 15 dynamic link library (DLL) sideloading efforts, and innovative evasion techniques. The attackers, organised into three distinct threat clusters, each played specialised roles in the broader attack chain, likely under the direction of a single entity.
This meticulous teamwork enabled the theft of a significant volume of files and emails, including strategic documents related to the contested South China Sea—a region of long-standing territorial disputes between the unidentified government and China.
The Role of Chinese Advanced Persistent Threats (APTs)
Chinese APTs have historically shared infrastructure and malicious code, but the level of inter-APT collaboration seen in Operation Crimson Palace is unprecedented. The operation’s origins trace back to March 2022, when the Mustang Panda group deployed the “Nupakage” data exfiltration tool on the victim’s network. In December of the same year, DLL stitching was used to covertly deploy backdoors against targeted domain controllers.
The campaign intensified in 2023 with the involvement of three threat clusters:
Cluster Alpha: From March to August 2023, this group conducted reconnaissance, mapping server subnets, identifying administrator accounts, and probing Active Directory infrastructure. They disabled antivirus protections using a variant of the Eagerbee backdoor from Emissary Panda and leveraged five different malware tools for command and control (C2).
Cluster Bravo: Active for only a few weeks in March 2023, Cluster Bravo spread laterally using legitimate accounts, establishing C2 communications and dumping credentials with a novel backdoor called CCoreDoor.
Cluster Charlie: Operating from March 2023 to April 2024, this group specialised in access management, performing network ping sweeps to map users and endpoints, and capturing credentials from domain controllers. They used a novel backdoor named PocoProxy for C2 purposes and exfiltrated large volumes of sensitive data.
Attribution and Implications
Sophos researchers noted that the tools and infrastructure used in Operation Crimson Palace overlap with those of several known Chinese threat actors, including Worok and the APT41 subgroup Earth Longzhi. While the evidence strongly suggests Chinese government involvement, Sophos refrained from attributing the attack to a specific group.
Chester Wisniewski, director and global field CTO at Sophos, emphasised that focusing too much on attribution can be counterproductive. He pointed out that multiple groups might share stolen credentials and tools, making it difficult to predict future attacks based on past activity.
“Once you’re breached by one of these adversaries, all bets are off,” Wisniewski said. “You have to assume all those things are happening.”
Staying Informed and Vigilant
Operation Crimson Palace serves as a stark reminder of the evolving threat landscape and the importance of robust cybersecurity measures. To stay ahead of these threats, organisations must prioritise comprehensive security strategies, continuous monitoring, and timely updates to their defences.
For more insights into the latest cybersecurity threats and trends, subscribe to our newsletter and visit Convergex for expert cybersecurity services including malware detection, security training, and more.
Hashtags:
#Cybersecurity #Convergex #WebDevelopment #CybersecurityAwareness #CyberEssentials #SecurityTraining #MalwareDetection
FAQs
What is Operation Crimson Palace? Operation Crimson Palace is a sophisticated cyberattack involving three Chinese state-aligned threat clusters targeting a high-profile government organisation in Southeast Asia.
Who were the main threat clusters involved? The attack involved three clusters: Alpha, Bravo, and Charlie, each performing specialised tasks in the broader attack chain.
What kind of data was stolen? Sensitive military and political secrets, including strategic documents related to the South China Sea, were exfiltrated.
How did the attackers execute the operation? The attackers used new malware tools, DLL sideloading, innovative evasion techniques, and coordinated efforts across different threat clusters.
What should organisations do to protect themselves? Organisations should implement comprehensive security strategies, conduct continuous monitoring, and keep their defences updated to mitigate such sophisticated threats.