Chinese APTs Target ASEAN Entities, Stealing Sensitive Diplomatic and Economic Data

A detailed report from Unit 42 by Palo Alto Networks has uncovered a targeted campaign by two Chinese advanced persistent threat (APT) groups aimed at compromising entities associated with the Association of Southeast Asian Nations (ASEAN). This intensive effort highlights China’s strategic interest in diplomatic and economic intelligence within the region, as well as the ever-present threat of cyber espionage.

Both APT groups leveraged legitimate software and tools to blend in with regular network activity, making detection more challenging. The timing of attacks during key ASEAN summits suggests an attempt to capitalize on increased communication volume and the potential for reduced scrutiny during periods of high activity.

The Stately Taurus and Its Malware Arsenal

Stately Taurus, a moniker under which lurks an APT group of considerable repute and skill. Known by many names—Mustang Panda, BRONZE PRESIDENT, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon—this entity has etched its name into the annals of cyber espionage since at least 2012. This well-established Chinese APT group targeted entities in Myanmar, the Philippines, Japan, and Singapore with carefully timed attacks coinciding with the ASEAN-Australia Special Summit in March 2024. They deployed custom malware disguised as legitimate files to increase the likelihood of successful infiltration.

The Artifice of Diplomacy: Talking_Points_for_China.zip

The first of these trojans was cunningly named “Talking_Points_for_China.zip,” a package that, on March 4, 2024, began its silent journey across the realms of the Philippines, Japan, and Singapore. Cloaked in the guise of an anti-keylogging program, “Talking_Points_for_China.exe” harbored a more sinister payload—a malicious DLL designed to ensnare and communicate with a covert command and control server.

The Military Masquerade: Note PSO.scr

In a shift of tactics that demonstrates their adaptability, Stately Taurus dispatched another malicious package, “Note PSO.scr,” on March 5, 2024. This package, bearing the semblance of a screensaver executable (SCR extension) file, was aimed at Myanmar.

The Unnamed Shadow: A Second Chinese APT Group

This Chinese APT successfully compromised an ASEAN-affiliated entity and has a history of targeting government entities across Southeast Asia, including Cambodia, Laos, and Singapore. Their focus on sensitive diplomatic and economic data makes them a significant threat.

Recommendations

This activity underscores a worrying trend of escalating cyber espionage driven by geopolitical tensions. The strategic importance of the ASEAN region makes it a focal point for intelligence gathering.

Organizations within or affiliated with ASEAN must maintain heightened vigilance against targeted campaigns, as they are likely to be in the crosshairs of sophisticated threat actors.