Surfacing a Hydra: Unveiling a Multi-Headed Chinese State-Sponsored Campaign

MediaVideo
Yanac

Surfacing a Hydra: Unveiling a Multi-Headed Chinese State-Sponsored Campaign Against a Foreign Government

Last year, we came face-to-face with a multi-headed beast after a threat hunt led us to uncover a long-running Chinese state-sponsored cyber espionage campaign, code-named “Crimson Palace” involving three distinct threat clusters coordinating activity to maintain persistent access to the same Southeast Asian government organization. Despite limitations, we were able to perform targeted response actions and monitor the organization’s infected network for over a year to gain a rare and detailed insight into the evolving behaviors and capabilities of multiple state-sponsored APTs.

In our talk, we will dissect the two-stages of the Crimson Palace campaign, detailing an observed shift by the actors from leveraging the target network as a testing ground for novel malware and evasive techniques to adopting a more aggressive approach after becoming aware of our countermeasures. We’ll explore the diverse arsenal leveraged by the actors, including over a dozen different malware families (including several previously unreported variants), more than 15 distinct DLL sideloads, and multiple novel defense evasion techniques, such as a new malware variant capable of blackholing anti-virus (AV) communications. We’ll also reveal previously undisclosed details from the second stage of the campaign, showcasing the actors’ rapid adaptation and continual rotation of their C2 channels to maintain persistent access.

Beyond the technical details, we’ll also share the human story of how we navigated this complex intrusion using novel investigation techniques – and the challenges we faced in doing so. Our talk will equip attendees with concrete methods they can use to identify clusters of threat activity and analyze long-running APT intrusion campaigns. It will also provide them with tools and techniques we developed during the investigation for dissecting complex intrusions in their own environments.

By:
Morgan Demboski | Threat Intelligence Analyst, Sophos
Mark Parsons | Senior Threat Hunter, Sophos

Full Abstract and Presentation Materials:
https://www.blackhat.com/us-24/briefings/schedule/#surfacing-a-hydra-unveiling-a-multi-headed-chinese-state-sponsored-campaign-against-a-foreign-government-39319Black HatRead More