Chinese hackers seen targeting Southeast Asian government organization
Security researchers have outlined a highly organized nation-state campaign engaging in reconnaissance and espionage against a high-level government organization.
Sophos security analysts have outlined the details of a two-year-long campaign by multiple Chinese state-backed hacking groups against a “high-level government target” in Southeast Asia.
The activity was first observed in December 2022, when the Sophos X-Ops team found a data exfiltration tool on the target organization’s network. That tool was known to have been used in the past by the Chinese threat group Mustang Panda, leading to a broader investigation.
Researchers found a compromised VMWare executable in May of the following year, which uncovered three discrete clusters of Chinese threat actor activity, called the Alpha, Bravo, and Charlie groups.
Cluster Alpha appeared to have ties to several Chinese threat groups based on the observed malware used and similarities in tactics, techniques, and procedures. Malware known to be used by the REF5961 threat group was seen in action, while other tools known to be linked to the BackdoorDiplomacy, APT15, Worok, and TA428 groups were also seen. This activity lasted from March to August 2023, possibly longer, and focused on recognition and escalation of privilege.
Cluster Bravo was only seen over a three-week period in March 2023 on the government network, and this activity focused on gaining lateral movement to install the CCoreDoor backdoor. This is often a precursor to credential exfiltration.
Finally, and most recently, Cluster Charlie was active from at least March 2023 to April 2024 and consisted of activity that appeared to coincide with the TTPs of an APT41-linked group called Earth Longzhi. This activity revolved around the deployment of the PocoProxy persistence tool before leaking a large amount of data, including, according to Sophos, “a large volume of sensitive data for espionage purposes, including military and political documents and credentials/tokens for greater access within the network. .
The Charlie group is still active.
Paul Jaramillo, director of threat hunting and threat intelligence at Sophos, said the activity illustrates the extent of China’s hacking activity.
“As Western governments increase awareness of cyber threats from China, the overlap Sophos has discovered is an important reminder that focusing too much on a single Chinese attribution can put organizations at risk of missing trends in how these groups coordinate their operations,” Jaramillo said in a statement.
“What we have seen with this campaign is the aggressive development of cyber espionage operations in the South China Sea. We have multiple threat groups, likely with unlimited resources, targeting the same high-level government organization for weeks or months at a time, using advanced custom malware intertwined with publicly available tools.
“They were, and still are, able to move around an organization at will, rotating their tools frequently. “At least one of the activity groups is still very active and trying to carry out greater surveillance.”
You can read a full report of the activity here.