The Silent Hack: Inside a State-Sponsored Cyber Espionage Operation
A suspected China-linked cyber espionage campaign has been targeting military organizations across Southeast Asia as part of a state-sponsored operation that has reportedly been active since at least 2020. Tracked by Palo Alto Networks Unit 42 under the designation CL-STA-1087, the campaign reflects a cluster of activity believed to be driven by state-backed motivations. Researchers observed that the attackers demonstrated notable operational patience and discipline, prioritizing precise intelligence gathering rather than large-scale data theft. Their efforts focused on collecting highly specific documents related to military capabilities, organizational structures, and cooperation with Western armed forces. The operation exhibits several hallmarks of an advanced persistent threat (APT), including carefully engineered delivery methods, defense evasion strategies, stable operational infrastructure, and the deployment of custom-built malware designed to maintain prolonged unauthorized access to targeted systems.
Table of Contents
Malware and Tools Used
The operation relied on several custom tools, including backdoors known as AppleChris and MemFun, along with a credential-harvesting utility called Getpass, a modified version of the well-known Mimikatz tool. These tools allowed attackers to remotely control infected systems, extract sensitive credentials, and maintain persistent access within targeted networks.
Stealth Techniques and Infrastructure
To avoid detection, the attackers employed advanced techniques such as DLL hijacking, process hollowing, delayed execution, and sandbox evasion. The malware also used Pastebin and Dropbox as “dead drop” services to retrieve command-and-control (C2) server addresses encoded in Base64 format. This method enabled the attackers to hide their infrastructure and update it without modifying the malware itself.
Targeted Intelligence Collection
During the intrusions, the attackers actively searched for documents related to official military meetings, joint operations, and operational capability assessments, with particular interest in C4I systems (Command, Control, Communications, Computers, and Intelligence). The activity suggests a focused effort to gather strategic defense intelligence rather than conduct disruptive cyber operations.
Long-Term Persistence and Operational Discipline
Researchers concluded that the threat actors displayed strong operational security and patience, often maintaining dormant access for months while conducting precise and targeted data collection. These characteristics are consistent with advanced persistent threat (APT) operations designed for long-term espionage and strategic intelligence gathering.
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
— Mikko Hyppönen