• About
  • Advertise
  • Careers
  • Contact Us
Sunday, June 22, 2025
  • Login
No Result
View All Result
NEWSLETTER
Tech | Business | Economy
  • News
  • Tech
    • DisruptiveTECH
    • ConsumerTech
    • How To
    • TechTAINMENT
  • Business
    • Telecoms
    • Mobility
    • Environment
    • Travel
    • StartUPs
      • Chidiverse
    • TE Insights
    • Security
  • Partners
  • Economy
    • Finance
    • Fintech
    • Digital Assets
    • Personal Finance
    • Insurance
  • Features
    • IndustryINFLUENCERS
    • Guest Writer
    • EventDIARY
    • Editorial
    • Appointment
  • TECHECONOMY TV
  • Apply
  • TBS
  • BusinesSENSE For SMEs
  • Chidiverse
  • News
  • Tech
    • DisruptiveTECH
    • ConsumerTech
    • How To
    • TechTAINMENT
  • Business
    • Telecoms
    • Mobility
    • Environment
    • Travel
    • StartUPs
      • Chidiverse
    • TE Insights
    • Security
  • Partners
  • Economy
    • Finance
    • Fintech
    • Digital Assets
    • Personal Finance
    • Insurance
  • Features
    • IndustryINFLUENCERS
    • Guest Writer
    • EventDIARY
    • Editorial
    • Appointment
  • TECHECONOMY TV
  • Apply
  • TBS
  • BusinesSENSE For SMEs
  • Chidiverse
No Result
View All Result
Tech | Business | Economy
No Result
View All Result
ADVERTISEMENT
Home Business Security

Sophos Identifies how Chinese State-Sponsored Espionage Expands in Southeast Asia

by Staff Writer
September 12, 2024
in Security
0
Sophos Crimson Palace
Sophos discovery Crimson Palace

Sophos discovery Crimson Palace

UBA
Advertisements
  • Nation-State Groups Pivot to Open-Source Tooling
  • SophosUncovers Novel Keylogger “Tattletale”

Sophos, a global leader of innovative security solutions for defeating cyberattacks, has released its report, “Crimson Palace: New Tools, Tactics, Targets,” which details the latest developments in a nearly two-year long Chinese cyberespionage campaign in Southeast Asia.

Sophos X-Ops first reported on what they named Operation Crimson Palace in June and detailed Sophos X-Ops’ discovery of three separate clusters of Chinese nation-state activity—Cluster Alpha, Cluster Bravo and Cluster Charlie—inside a high-profile government organization.

After a brief hiatus in August 2023, Sophos X-Ops noted renewed Cluster Bravo and Cluster Charlie activity, both within the initial targeted organization and in numerous other organizations within the region.

While investigating this renewed activity, Sophos X-Ops uncovered a novel keylogger that the threat hunters named “Tattletale,” which can impersonate users who have signed into the system and gather information related to password policies, security settings, cached passwords, browser information, and storage data.

Sophos X-Ops also notes in the report that, in contrast to the first wave of the operation, Cluster Charlie increasingly switched to using open-source tools rather than deploying the types of custom malware they developed in the initial wave of activity.

“We’ve been in an ongoing chess match with these adversaries. During the initial phases of the operation, Cluster Charlie was deploying various bespoke tools and malware,” said Paul Jaramillo, director, threat hunting and threat intelligence, Sophos. “However, we were able to ‘burn’ much of their previous infrastructure, blocking their Command and Control (C2) tools and forcing them to pivot. This is good; however, their switch to open-source tools demonstrates just how quickly these attacker groups can adapt and remain persistent. It also appears to be an emerging trend among Chinese nation-state groups. As the security community works to secure our most sensitive systems from these attackers, it’s important to share the insights into this pivot.”

Cluster Charlie, which shares tactics, techniques and procedures (TTPs) with the Chinese threat group Earth Longzhi, was originally active from March to August 2023 in a high-level government organization in Southeast Asia.

While the cluster was dormant for several weeks, it re-emerged in September 2023 and was active again until at least May 2024.

During this second stage of the campaign, Cluster Charlie focused on penetrating deeper into the network, evading endpoint detection and response (EDR) tools and gathering further intelligence. In addition to switching to open-source tools, Cluster Charlie also began using tactics initially deployed by Cluster Alpha and Cluster Bravo, suggesting that the same overarching organization is directing all three activity clusters.

Sophos X-Ops has tracked ongoing Cluster Charlie activity across multiple other organizations in Southeast Asia.

Cluster Bravo, which shares TTPs with the Chinese threat group Unfading Sea Haze, was originally only active in the targeted network for a three-week span in March 2023.

However, the cluster reappeared in January 2024, only this time it was targeting at least 11 other organizations and agencies in the same region.

“Not only are we seeing all three of the ‘Crimson Palace’ clusters refine and coordinate their tactics, but they’re also expanding their operations, attempting to infiltrate other targets in Southeast Asia. Given how frequently Chinese nation-state groups share infrastructure and tools, and the fact that Cluster Bravo and Cluster Charlie are moving beyond the original target, we will likely continue to see this campaign evolve—and in potentially new locations. We will be monitoring it closely,” said Jaramillo.

To learn more, read “Crimson Palace: New Tools, Tactics, Targets” on Sophos.com. For details about Sophos’ threat hunting and other services for disrupting cyberattacks, go to Sophos Managed Detection and Response (MDR).

*For an in-depth look at the threat hunting behind this nearly two-year long cyber espionage campaign, register for the upcoming webinar “Intrigue of the Hunt: Operation Crimson Palace: Unveiling a Multi-Headed State-Sponsored Campaign” on Sept. 24 at 2 PM ET. Join here.

Loading

Advertisements
MTN ADS

0Shares
Tags: CrimsonkeyloggerSophosSophos Crimson
Staff Writer

Staff Writer

Next Post
Telecoms Sector Faces Disruption as Workers Strike Over Poor Conditions

Telecoms Sector Faces Disruption as Workers Strike Over Poor Conditions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recommended

Stanbic IBTC Holdings.

Stanbic IBTC Holdings Appoints Kunle Adedeji As Acting CEO

9 months ago

Africa’s Business Heroes (ABH) Application Deadline Extended to June 20, 2022

3 years ago

Popular News

    Connect with us

    • About
    • Advertise
    • Careers
    • Contact Us

    © 2025 TECHECONOMY.

    No Result
    View All Result
    • News
    • Tech
      • DisruptiveTECH
      • ConsumerTech
      • How To
      • TechTAINMENT
    • Business
      • Telecoms
      • Mobility
      • Environment
      • Travel
      • StartUPs
        • Chidiverse
      • TE Insights
      • Security
    • Partners
    • Economy
      • Finance
      • Fintech
      • Digital Assets
      • Personal Finance
      • Insurance
    • Features
      • IndustryINFLUENCERS
      • Guest Writer
      • EventDIARY
      • Editorial
      • Appointment
    • TECHECONOMY TV
    • Apply
    • TBS
    • BusinesSENSE For SMEs

    © 2025 TECHECONOMY.

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In
    Translate »
    This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.