Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Chinese South China Sea Cyberespionage Campaign Unearthed
Sophos Finds 3 Clusters of Activity Dating at Least to May 2023A government agency in a country that has repeatedly clashed with China over Beijing's territorial ambitions in the South China Sea was the subject of a prolonged cyberespionage campaign that used previously undetected backdoors and partially overlaps with known Sino state threat actors.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Researchers at Sophos Managed Detection and Response said Wednesday they uncovered a complex, multi-cluster Chinese state-sponsored cyberespionage operation they dubbed "Crimson Palace." Sophos, with high confidence, attributes the hacking activity to hacking clusters associated with Chinese-state-sponsored activities.
The hackers targeted documents held by the unnamed agency with file names indicating they have intelligence value, including military documents related to strategies in the South China Sea. The campaign was focused on gathering information that could benefit Chinese state interests. Sophos said it first detected the activity in May 2023 although investigations found evidence of "related earlier intrusion activity" dating to early the year before.
Sophos identified three clusters of activity and named them after the first three letters of the NATO Phonetic Alphabet - Alpha, Bravo and Charlie. Telemetry shows the clusters appear to schedule activity around each other, lending evidence that the threat actors in the clusters may be aware of the others' activities."
Beijing relies on military and domestic intelligence hackers as well as a network of private-sector hacking-for-hire government contractors to conduct cyberespionage. Leaks earlier this year from one of those contractors show that overlap between Sino hacking groups is at least partially attributable to companies that support multiple campaigns with similar tools. Sophos said it believes with moderate confidence that the clusters represent the work of separate actors "tasked by a central authority with parallel objectives."
Among the indicators of Chinese attribution are that the detected hacking activity corresponds to a typical Chinese working day of 8:00 a.m. to 5:00 p.m., China Standard Time.
Sophos is the latest cybersecurity company with hacking telemetry from South China Sea customers to point a finger at Beijing. China asserts territorial claims amounting to nearly two-thirds of the heavily trafficked sea - claims contested by neighbors including the Philippines, Taiwan, Vietnam, Malaysia and Indonesia. China's campaign of regional dominance includes building artificial islands, conducting aggressive patrolling, occupying some contested islands and conducting ample amounts of cyberespionage (see: Unfading Sea Haze APT Targeting South China Sea Governments).
Cluster Alpha activity overlapped with a known threat actor already tracked as BackdoorDiplomacy and TA428. Cluster Charlie overlapped with Earth Longzhi, a group identified by TrendMicro in 2022 as a subgroup of a larger Beijing threat actor known as APT41. Cluster Charlie used an unknown backdoor Sophos dubs "PocoProxy" in order to maintain persistent communications with a command-and-control server.
Cluster Bravo, which doesn't overlap with any previously known threat actor, used a previously unknown backdoor that Sophos calls "CCoreDoor."
Researchers also observed an updated variant of the Eagerbee malware, which included the capability to disrupt or block communications between the infected systems and the antivirus vendor's servers or domains.
Hackers made extensive use of DLL sideloading as a key attack technique. The report states that the campaign included over 15 distinct DLL sideloading scenarios, most of which abused Windows Services, legitimate Microsoft binaries and AV vendor software. DLL sideloading allows malware authors to abuse the way Windows loads dynamic link libraries, causing a malicious DLL to be loaded instead of the legitimate one.
The threat actors used evasive techniques such as overwriting ntdll.dll
in memory to unhook the Sophos AV agent process from the kernel. ntdll.dll
is a legitimate Windows system file that provides system services and functions to Windows applications. Overwriting of the file in memory allowed the attackers to evade detection by the Sophos AV agent and execute their payloads without being detected.
Sophos blocked the last of the campaign's known implants last August. For clusters Alpha and Bravo, that appeared to be that. Cluster Charlie resumed hacking after a few weeks "at a higher tempo and in a more evasive manner." Rather than leave implants on the network, cluster hackers used a different instance of a web shell to re-penetrate the network and began to shift among different command-and-control channels as well as methods of deploying implants.