defence connect logo



Chinese hackers observed targeting Southeast Asian government organisation

Security researchers have outlined a highly organised nation-state campaign engaging in reconnaissance and espionage against a high-level government organisation.

Security researchers have outlined a highly organised nation-state campaign engaging in reconnaissance and espionage against a high-level government organisation.

Sophos security analysts have outlined the details of a two-year-long campaign by multiple clusters of Chinese state-backed hackers against a “high-level government target” in Southeast Asia.

The activity was first observed in December 2022, when the Sophos X-Ops team found a data exfiltration tool on the targeted organisation’s network. That tool was known to be used by the Chinese threat group Mustang Panda in the past, which led to a wider investigation.


The researchers found a compromised VMWare executable in May of the next year, which uncovered three discrete clusters of Chinese threat actor activity – dubbed clusters Alpha, Bravo, and Charlie.

Cluster Alpha appeared to have links to several Chinese threat groups based on the observed malware being used, and similarities in tactics, techniques and procedures. Malware known to be used by the threat group REF5961 was seen in action, while other tools known to be linked to the BackdoorDiplomacy, APT15, Worok, and TA428 groups were also observed. This activity lasted from March to August 2023, possibly longer, and focused on reconnaissance and privilege escalation.

Cluster Bravo was only seen during a three-week period in March 2023 on the government network, and this activity was focused on gaining lateral movement to install the CCoreDoor backdoor. This is typically a precursor to exfiltrating credentials.

Finally, and most recently, Cluster Charlie was active between March 2023 and April 2024, at least, and consisted of activity that appeared to match the TTPs of a group linked to APT41, dubbed Earth Longzhi. This activity revolved around deploying the PocoProxy persistence tool before exfiltrating a large amount of data, including – according to Sophos – “a large volume of sensitive data for espionage purposes, including military and political documents and credentials/tokens for further access within the network”.

Cluster Charlie is still active.

Paul Jaramillo, director of threat hunting and threat intelligence at Sophos, said the activity illustrates the scope of China’s hacking activity.

“As Western governments elevate awareness about cyber threats from China, the overlap Sophos has uncovered is an important reminder that focusing too much on any single Chinese attribution may put organisations at risk of missing trends about how these groups coordinate their operations,” Jaramillo said in a statement.

“What we’ve seen with this campaign is the aggressive development of cyber espionage operations in the South China Sea. We have multiple threat groups, likely with unlimited resources, targeting the same high-level government organisation for weeks or months at a time, and they are using advanced custom malware intertwined with publicly available tools.

“They were, and are still, able to move throughout an organisation at will, rotating their tools on a frequent basis. At least one of the activity clusters is still very much active and attempting to conduct further surveillance.”

You need to be a member to post comments. Become a member for free today!