Digital Times Nigeria
  • Home
  • Telecoms
    • Broadband
  • Business
    • Banking
    • Finance
  • Editorial
    • Opinion
    • Big Story
  • TechExtra
    • Fintech
    • Innovation
  • Interview
  • Media
    • Social
    • Broadcasting
Facebook X (Twitter) Instagram
Trending
  • Access Bank Reinforces Global Banking Leadership With Record 16 Euromoney Awards
  • Hadiza Umar, NITDA’s Comms Director Earns Double Honours With 2026 PR Power List, Glazia Magazine Cover Feature
  • New Report Flags Deepfakes, AI Disinformation As Major Risks To Nigeria’s 2027 Elections
  • NCC, Tecno, Hyperspace, Digital Realty Rally Behind NITRA Innovative & Scientific Conference
  • Abia Attracts $145m Solar Manufacturing Investment As Project Reaches Final Decision Stage
  • Fidelity Bank Improves Learning, Living Conditions At Lagos Orphanage
  • Union Bank Reinforces Sustainability Drive With Lekki Beach Cleanup
  • New NIMC Act Gets Major Boost As NITDA Hands Over PKI Framework For Secure Digital Identity
Facebook X (Twitter) Instagram
Digital Times NigeriaDigital Times Nigeria
  • Home
  • Telecoms
    • Broadband
  • Business
    • Banking
    • Finance
  • Editorial
    • Opinion
    • Big Story
  • TechExtra
    • Fintech
    • Innovation
  • Interview
  • Media
    • Social
    • Broadcasting
Digital Times Nigeria
Home » Sophos Report Reveals Expansion Of OCL, Chinese State-Sponsored Espionage In Southeast Asia
REPORT

Sophos Report Reveals Expansion Of OCL, Chinese State-Sponsored Espionage In Southeast Asia

Cluster Charlie began using open-source tools and tactics from other clusters, showcasing the attackers' adaptability and persistence.
DigitalTimesNGBy DigitalTimesNG10 September 2024No Comments4 Mins Read71 Views
Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
Sophos
Share
Facebook Twitter LinkedIn Pinterest Telegram Email WhatsApp

Sophos Uncovers Novel Keylogger “Tattletale”

News Highlights:

  • Sophos X-Ops uncovered three distinct clusters of Chinese cyberespionage activity—Cluster Alpha, Cluster Bravo, and Cluster Charlie—within a high-profile government organization.
  • After a brief pause, renewed activity from Cluster Bravo and Cluster Charlie was detected, spreading to numerous organizations across Southeast Asia.

Sophos, a global leader in innovative security solutions against cyberattacks, has published a report titled “Crimson Palace: New Tools, Tactics, Targets,” outlining the latest advancements in a nearly two-year-long Chinese cyberespionage campaign targeting Southeast Asia, reports Digital TimesNG.

In June, Sophos X-Ops first reported on what they called Operation Crimson Palace, revealing their discovery of three distinct clusters of Chinese nation-state activity—Cluster Alpha, Cluster Bravo, and Cluster Charlie—within a high-profile government organization.

After a brief hiatus in August 2023, Sophos X-Ops noted renewed Cluster Bravo and Cluster Charlie activity, both within the initial targeted organization and in numerous other organizations within the region.

During their investigation into this renewed activity, Sophos X-Ops discovered a new keylogger, dubbed “Tattletale” by their threat hunters. This keylogger can impersonate logged-in users and collect data on password policies, security settings, cached passwords, browser information, and storage details.

Sophos X-Ops also notes in the report that, in contrast to the first wave of the operation, Cluster Charlie increasingly switched to using open-source tools rather than deploying the types of custom malware they developed in the initial wave of activity.

“We’ve been in an ongoing chess match with these adversaries. During the initial phases of the operation, Cluster Charlie was deploying various bespoke tools and malware,” said Paul Jaramillo, director, threat hunting and threat intelligence, Sophos.

READ ALSO  Sophos Acquires Secureworks In $859M Deal To Strengthen Global Cybersecurity

“However, we were able to ‘burn’ much of their previous infrastructure, blocking their Command and Control (C2) tools and forcing them to pivot. This is good; however, their switch to open-source tools demonstrates just how quickly these attacker groups can adapt and remain persistent.

“It also appears to be an emerging trend among Chinese nation-state groups. As the security community works to secure our most sensitive systems from these attackers, it’s important to share the insights into this pivot.”

Cluster Charlie, which shares tactics, techniques and procedures (TTPs) with the Chinese threat group Earth Longzhi, was originally active from March to August 2023 in a high-level government organization in Southeast Asia.

While the cluster was dormant for several weeks, it re-emerged in September 2023 and was active again until at least May 2024.

During this second stage of the campaign, Cluster Charlie focused on penetrating deeper into the network, evading endpoint detection and response (EDR) tools and gathering further intelligence.

In addition to switching to open-source tools, Cluster Charlie also began using tactics initially deployed by Cluster Alpha and Cluster Bravo, suggesting that the same overarching organization is directing all three activity clusters.

Sophos X-Ops has tracked ongoing Cluster Charlie activity across multiple other organizations in Southeast Asia.

Cluster Bravo, which shares TTPs with the Chinese threat group Unfading Sea Haze, was originally only active in the targeted network for a three-week span in March 2023. However, the cluster reappeared in January 2024, only this time it was targeting at least 11 other organizations and agencies in the same region.

READ ALSO  Sophos Unveils Advanced Version Of Endpoint Detection And Response (EDR)

“Not only are we seeing all three of the ‘Crimson Palace’ clusters refine and coordinate their tactics, but they’re also expanding their operations, attempting to infiltrate other targets in Southeast Asia.

“Given how frequently Chinese nation-state groups share infrastructure and tools, and the fact that Cluster Bravo and Cluster Charlie are moving beyond the original target, we will likely continue to see this campaign evolve—and in potentially new locations. We will be monitoring it closely,” said Jaramillo.

To learn more, read “Crimson Palace: New Tools, Tactics, Targets” on Sophos.com. For details about Sophos’ threat hunting and other services for disrupting cyberattacks, go to Sophos Managed Detection and Response (MDR).

For an in-depth look at the threat hunting behind this nearly two-year long cyber espionage campaign, register for the upcoming webinar “Intrigue of the Hunt: Operation Crimson Palace: Unveiling a Multi-Headed State-Sponsored Campaign” on Sept. 24 at 2 PM ET: https://events.sophos.com/operation-crimson-palace/.

#Espionage #OCL #Report #Sophos #SoutheastAsia
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleOPay, Other Fintech Companies Begin N50 EMTL Deduction
Next Article NCC Unveils Device Management System, Lists Functions
DigitalTimesNG
  • X (Twitter)

Comments are closed.

Categories
About
About

Digital Times Nigeria (www.digitaltimesng.com) is an online technology publication of Digital Times Media Services.

Facebook X (Twitter) Instagram
Latest Posts

Access Bank Reinforces Global Banking Leadership With Record 16 Euromoney Awards

18 July 2026

Hadiza Umar, NITDA’s Comms Director Earns Double Honours With 2026 PR Power List, Glazia Magazine Cover Feature

18 July 2026

New Report Flags Deepfakes, AI Disinformation As Major Risks To Nigeria’s 2027 Elections

17 July 2026
Popular Posts

Building Explainable AI (XAI) Dashboards For Non-Technical Stakeholders

2 May 2022

Building Ethical AI Starts With People: How Gabriel Ayodele Is Engineering Trust Through Mentorship

8 January 2024

Gabriel Tosin Ayodele: Leading AI-Powered Innovation In Web3

8 November 2022
© 2026 Digital Times NG.
  • Advert Rate
  • Terms of Use
  • Advertisement
  • Private Policy
  • Contact Us

Type above and press Enter to search. Press Esc to cancel.