Southeast Asian Governments Targeted in Ongoing Cyber Espionage by Sharp Panda
A sophisticated cyber espionage campaign has emerged, focusing on high-profile government entities across Southeast Asia, with the Chinese threat actor known as Sharp Panda at the forefront. This activity has reportedly intensified since late last year, evolving away from prior strategies employed by the group.
Check Point, an Israeli cybersecurity firm, points out that such “long-running” operations have historically prioritized countries like Vietnam, Thailand, and Indonesia. Sharp Panda, first identified by Check Point in June 2021, has been described as a “highly organized operation” that has worked diligently to evade detection. The group’s re-emergence is marked by the deployment of a new version of the Soul modular framework, showing a significant shift in its tactics compared to earlier attack chains from 2021.
The Soul backdoor has gained attention since its usage was first documented by Broadcom’s Symantec in October 2021, correlating with an unnamed espionage campaign aimed at defense, healthcare, and information and communications technology sectors in the region. According to research from Fortinet FortiGuard Labs, this malware’s roots go back to October 2017, incorporating elements from Gh0st RAT and other publicly available tools, which raises concerns about its evolving threat landscape.
The initiation of the attack typically begins with a spear-phishing email containing a malicious document that exploits vulnerabilities in Microsoft Equation Editor to deploy a downloader. This downloader retrieves a loader named SoulSearcher from a command-and-control server that is geofenced, responding only to requests from targeted country IPs. Such an approach indicates an advanced tactic for maintaining operational security by limiting exposure.
Upon installation, the loader is responsible for fetching, decrypting, and executing the Soul backdoor along with its various components. The functionality of the Soul module includes critical communication with the command-and-control server, designed primarily to receive and load additional modules into memory. A notable feature of this backdoor is the incorporation of a “radio silence” functionality, which allows the operator to specify downtimes during which the backdoor refrains from communication.
The findings illustrate a concerning trend in cyber espionage, highlighting the tool-sharing practices commonly seen among Chinese advanced persistent threat (APT) groups. Sharp Panda’s Soul framework, while in use since at least 2017, continues to evolve as its operators refine both its architecture and capabilities.
Given the cyber landscape’s shifting dynamics, this incident serves as a reflection of the persistent risks faced by Southeast Asian nations from state-sponsored actors. The tactics observed, including initial access through spear-phishing, persistent backdoor operations, and privilege escalation maneuvers through various modules of the Soul framework, align with the broader tactics defined within the MITRE ATT&CK framework.
Ultimately, the implications of this campaign underscore the persistent threat that state-sponsored cyber actors pose, particularly in the sensitive domains of government and critical infrastructure in Southeast Asia. As incidents like this unfold, it becomes essential for organizations to bolster their defenses against such advanced and evolving cyber threats.
