INTELLIGENT BRANDS // Enterprise Security

Sophos X-Ops first reported on what they named Operation Crimson Palace in June and detailed Sophos X-Ops ' discovery of three separate clusters of Chinese nationstate activity , Cluster Alpha , Cluster Bravo and Cluster Charlie , inside a high-profile government organisation .

Paul Jaramillo , Director , Threat Hunting and Threat Intelligence , Sophos .

After a brief hiatus in August 2023 , Sophos X-Ops noted renewed Cluster Bravo and Cluster Charlie activity , both within the initial targeted organisation and in numerous other organisations within the region .

While investigating this renewed activity , Sophos X-Ops uncovered a novel keylogger that the threat hunters named Tattletale , which can impersonate users who have signed into the system and gather information related to password policies , security settings , cached passwords , browser information , and storage data .

Sophos X-Ops also notes in the report that , in contrast to the first wave of the operation , Cluster Charlie increasingly switched to using open-source tools rather than deploying the types of custom malware they developed in the initial wave of activity . groups can adapt and remain persistent . It also appears to be an emerging trend among Chinese nation-state groups . As the security community works to secure our most sensitive systems from these attackers , it is important to share the insights into this pivot .”

Cluster Charlie , which shares tactics , techniques and procedures , TTPs with the Chinese threat group Earth Longzhi , was originally active from March to August 2023 in a high-level government organisation in Southeast Asia .

While the cluster was dormant for several weeks , it re-emerged in September 2023 and was active again until at least May 2024 .

During this second stage of the campaign , Cluster Charlie focused on penetrating deeper into the network , evading endpoint detection and response , EDR tools and gathering further intelligence .

“ We have been in an ongoing chess match with these adversaries . During the initial phases of the operation , Cluster Charlie was deploying various bespoke tools and malware ,” said Paul Jaramillo , Director , Threat Hunting and Threat Intelligence , Sophos .

In addition to switching to open-source tools , Cluster Charlie also began using tactics initially deployed by Cluster Alpha and Cluster Bravo , suggesting that the same overarching organisation is directing all three activity clusters .

Sophos X-Ops has tracked ongoing Cluster Charlie activity across multiple other organisations in Southeast Asia .

“ However , we were able to burn much of their previous infrastructure , blocking their Command and Control , C2 tools and forcing them to pivot . This is good ; however , their switch to open-source tools demonstrates just how quickly these attacker

Cluster Bravo , which shares TTPs with the Chinese threat group Unfading Sea Haze , was originally only active in the targeted network for a three-week span in March 2023 .

However , the cluster reappeared in January 2024 , only this time it was targeting at least 11 other organisations and agencies in the same region . p

www . intelligentcio . com INTELLIGENTCIO MIDDLE EAST 75