The Chinese Communist government has spent nearly two years conducting network espionage activities targeting a government department in Southeast Asia, attempting to steal strategic information related to the South China Sea disputes.
According to researchers from the globally renowned network security company Sophos, an investigation uncovered this complex and persistent network espionage operation directed at a high-profile Southeast Asian government institution, tracking at least three groups of intrusion activities within the institution’s network from March 2023 to December 2023.
Sophos researchers assert with confidence that the overall goal behind this operation is to maintain access to the target network for conducting espionage activities supporting China’s national interests.
In a joint analysis article, Paul Jaramillo, Threat Tracking and Threat Intelligence Director at Sophos, along with analysts, wrote that these various clusters appear to have been consistently gathering military and economic intelligence relevant to China’s strategic interests in the South China Sea.
They analyzed, stating, “In this operation, we believe these three clusters represent different attack organizations that operate in parallel against the same target under unified central government command.”
These network espionage activities include accessing key IT systems, scouting specific users, collecting sensitive military and technological information, as well as deploying various malicious software implants for command and control (C2) communications.
Sophos discovered a data leakage tool that has been in use since December 2022, previously thought to be the “masterpiece” of the Chinese hacker group “Mustang Panda,” but further findings revealed multiple hacker activity clusters collaborating to steal data, obtain credentials for deeper access, and more.
Two of the hacker clusters employed tactics and techniques matching those used by the Chinese national-level hacker groups APT15 and a branch of APT41 (referred to by some researchers as “Earth Longzhi”).
Sophos researchers have dubbed this hacker espionage activity as “Crimson Palace,” aiming to scout and steal documents containing “sensitive political, economic, and military information.”
The target network is a prominent government institution in a Southeast Asian country known for its numerous conflicts with China (the Chinese Communist Party) over territorial disputes in the South China Sea.
The South China Sea is a region of intense sovereignty disputes, with China claiming sovereignty over almost the entire sea area, rejecting the sovereignty claims of the Philippines, Vietnam, Indonesia, and other countries, while disregarding international rulings that China’s sovereignty claims lack legal basis.
Recently, China’s Coast Guard issued the “Administrative Enforcement Procedures of the Coast Guard Institution,” which, starting from June 15th, enforces the Coast Guard Law implemented in 2021, allowing the detention of foreign individuals suspected of “intrusion.” Philippine President Ferdinand Marcos Jr. criticized the Chinese authorities for escalating tensions.
Sophos is not the only cybersecurity company to have discovered Chinese hackers conducting espionage activities in the South China Sea.
According to a report released by the cybersecurity software development company Bitdefender Labs on May 22nd, over the past five years, at least eight government and military entities in the vicinity of the South China Sea have been invaded by a hacker organization allegedly aligned with Chinese interests.
Meanwhile, China claims to be a victim of cyberattacks from the United States and its allies, often denying accusations of launching hacking attacks.