Over the past year, a trio of Chinese state-aligned threat clusters collaborated to glean sensitive military and political secrets from a high-profile government organization in Southeast Asia.
A new Sophos report highlights not just the sophistication of the so-called “Operation Crimson Palace” — involving new malware tools, more than 15 dynamic link library (DLL) sideloading efforts, and some novel evasion techniques — but also a remarkable degree of coordination. Three different threat clusters performed specialized tasks in a broader attack chain, likely under the watch of a single organization.
Such diligent teamwork allowed the attackers to steal a large number of files and emails. Those files and emails included, for example, documents outlining strategic approaches to the hotly contested South China Sea. The unidentified government in question has long feuded with China over that territory.
Operation Crimson Palace
Chinese advanced persistent threats (APTs) have been known to share infrastructure and malicious code, but Operation Crimson Palace takes inter-APT collaboration to new heights.
The first signs of Chinese-linked threat activity can be traced at least to March 2022, when the “Nupakage” data exfiltration tool developed by Mustang Panda (aka Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, Red Delta, Stately Taurus) was deployed to the victim government’s network. Later, in December, an attacker performed DLL stitching to covertly deploy two backdoors against targeted domain controllers. Exactly who was behind this first year of activity is as yet unclear.
The Crimson Palace campaign began the following year, with the team Sophos calls Cluster Alpha. From March through August 2023, Alpha performed reconnaissance by mapping server subnets, noting administrator accounts, and probing Active Directory infrastructure. It disabled antivirus protections, including by using a new variant of the Eagerbee backdoor from Emissary Panda (aka Iron Tiger, APT27). It also performed various steps toward establishing persistence, leveraging uncommon LOLbins and no less than five different malware tools for command and control (C2).
Cluster Bravo had a quicker job. Entering the fray in March and leaving after just a few weeks, it focused primarily on using legitimate accounts to spread laterally in the target’s network. To aid in this effort, as well as establishing C2 communications and dumping credentials, Bravo deployed a novel backdoor, called CCoreDoor.
The final cluster, Charlie, proved the most troublesome. From March 2023 to April 2024 it specialized in access management — performing ping sweeps across the network to map all users and endpoints, and capturing credentials from domain controllers — and deployed a novel backdoor called PocoProxy for C2 purposes.
Most importantly, Charlie collected and exfiltrated large volumes of data. The information gleaned from the government network included sensitive military and political secrets, including documents outlining strategic approaches to the hotly contested South China Sea.
Whodunit? Who Cares?
Operation Crimson Palace involved tools and infrastructure that overlap with some half dozen known Chinese threat actors, most notably Worok and the APT41 subgroup Earth Longzhi. Sophos researchers used this and the nature of the espionage to tie the attack to the Chinese government, but stopped short of attributing a specific group.
In fact, they say, focusing on attributing Crimson Palace might end up being counterproductive to defending against it.
“I think this has been problematic in the past — we obsess too much with attribution,” says Chester Wisniewski, director and global field CTO at Sophos. Attribution can make defenders feel like they can predict an attacker’s next moves but, as Crimson Palace demonstrates, “Just because one group is really talented at one given thing does not mean you’re not going to see completely different techniques used later,” Wisniewski says. “Because they may have shared those stolen credentials with other groups, with completely different tool sets and completely different missions.
“Once you’re breached by one of these adversaries, all bets are off. One group might be after espionage. Another one might be prepositioning for Volt Typhoon-style future disruption. You have to assume all those things are happening.”
Source: www.darkreading.com