Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Three hacker groups at once intertwined together to cause colossal damage.
China-linked cybercriminals continue to expand their attacks on Southeast Asian government agencies as part of a new wave of espionage activity codenamed Crimson Palace. This is reported by Sophos, a company that monitors these threats.
The attacks include three groups, designated by the researchers as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305), each of which operates according to specific scenarios. According to the Sophos report, attackers use the networks of already compromised organizations to deliver malware by disguising themselves as trusted sources.
Operation Crimson Palace was first recorded by Sophos in June 2024, and the attacks themselves began back in March 2023 and continued until April 2024. At the same time, the latest activities related to Cluster Bravo were observed from January to June 2024 and covered 11 organizations in the region.
Of particular interest is Cluster Charlie, also known as Earth Longzhi. This group was active from September 2023 to June 2024, using various tools to compromise networks, including well-known platforms such as Cobalt Strike and Havoc, which allowed hackers to delve deeper into systems and cause new harm.
Researchers noted that the main goal of the attacks is not only to collect valuable intelligence information, but also to strengthen positions in the victims' networks. The hackers sought to bypass security systems and regain access to the infrastructure even after their malware was blocked.
It is also worth noting the active use of the dynamic library (DLL) substitution technique by Cluster Charlie, which was previously used by Cluster Alpha, demonstrating similar approaches between different groups.
Among other things, the hackers have RealBlindingEDR and Alcatraz programs in their arsenal, which help hide from antiviruses and mask malicious files. One of the most dangerous tools of criminals is the new TattleTale keylogger, capable of stealing data from Google Chrome and Microsoft Edge browsers.
This malicious software also can collect information about the victim's systems, including domain controller names and security settings, making it particularly dangerous.
All three groups operate together, but each has a different role in the attack chain: Cluster Alpha handles network penetration and reconnaissance, Cluster Bravo delves into systems, and Cluster Charlie focuses on stealing data.
Experts recommend that organizations in vulnerable regions strengthen cybersecurity measures, including regular software and security updates, monitoring network traffic, and implementing solutions to detect and prevent threats.
Particular attention should be paid to the protection of mail servers and other critical infrastructure elements, as they become the main targets for attacks. Continuous vulnerability assessment and the implementation of proactive protection methods will help reduce risks and minimize the damage from such cyberespionage operations.
Source
China-linked cybercriminals continue to expand their attacks on Southeast Asian government agencies as part of a new wave of espionage activity codenamed Crimson Palace. This is reported by Sophos, a company that monitors these threats.
The attacks include three groups, designated by the researchers as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305), each of which operates according to specific scenarios. According to the Sophos report, attackers use the networks of already compromised organizations to deliver malware by disguising themselves as trusted sources.
Operation Crimson Palace was first recorded by Sophos in June 2024, and the attacks themselves began back in March 2023 and continued until April 2024. At the same time, the latest activities related to Cluster Bravo were observed from January to June 2024 and covered 11 organizations in the region.
Of particular interest is Cluster Charlie, also known as Earth Longzhi. This group was active from September 2023 to June 2024, using various tools to compromise networks, including well-known platforms such as Cobalt Strike and Havoc, which allowed hackers to delve deeper into systems and cause new harm.
Researchers noted that the main goal of the attacks is not only to collect valuable intelligence information, but also to strengthen positions in the victims' networks. The hackers sought to bypass security systems and regain access to the infrastructure even after their malware was blocked.
It is also worth noting the active use of the dynamic library (DLL) substitution technique by Cluster Charlie, which was previously used by Cluster Alpha, demonstrating similar approaches between different groups.
Among other things, the hackers have RealBlindingEDR and Alcatraz programs in their arsenal, which help hide from antiviruses and mask malicious files. One of the most dangerous tools of criminals is the new TattleTale keylogger, capable of stealing data from Google Chrome and Microsoft Edge browsers.
This malicious software also can collect information about the victim's systems, including domain controller names and security settings, making it particularly dangerous.
All three groups operate together, but each has a different role in the attack chain: Cluster Alpha handles network penetration and reconnaissance, Cluster Bravo delves into systems, and Cluster Charlie focuses on stealing data.
Experts recommend that organizations in vulnerable regions strengthen cybersecurity measures, including regular software and security updates, monitoring network traffic, and implementing solutions to detect and prevent threats.
Particular attention should be paid to the protection of mail servers and other critical infrastructure elements, as they become the main targets for attacks. Continuous vulnerability assessment and the implementation of proactive protection methods will help reduce risks and minimize the damage from such cyberespionage operations.
Source
