Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Cyberspy Group ‘RedAlpha’ Targeting Governments, Humanitarian Entities

For the past three years, Chinese state-sponsored cyberespionage group RedAlpha has been observed targeting numerous government organizations, humanitarian entities, and think tanks.

For the past three years, Chinese state-sponsored cyberespionage group RedAlpha has been observed targeting numerous government organizations, humanitarian entities, and think tanks.

Also tracked as Deepcliff and Red Dev 3, the advanced persistent threat (APT) actor has been active since at least 2015, focused on intelligence collection, including the surveillance of ethnic and religious minorities, such as the Tibetan and Uyghur communities.

Since 2018, RedAlpha has been registering hundreds of domains spoofing global government, think tank, and humanitarian organizations, including Amnesty International, the American Institute in Taiwan (AIT), the International Federation for Human Rights (FIDH), the Mercator Institute for China Studies (MERICS), and Radio Free Asia (RFA), cybersecurity company Recorded Future reports.

The attacks, Recorded Future notes, fall in line with previously observed RedAlpha targeting of entities of interest to the Chinese Communist Party (CCP). Organizations in Taiwan were also targeted, likely for intelligence collection.

The purpose of the campaign has been the harvesting of credentials from the targeted individuals and organizations, to gain access to their email and other communication accounts.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China,” Recorded Future notes.

The cyberespionage group is known for the use of weaponized websites – which imitate well-known email service providers or specific organizations – as part of its credential-theft campaigns, but last year saw a spike in newly registered domains by the APT, at more than 350.

Characteristic to this activity was the use of resellerclub[.]com nameservers, the use of virtual private server (VPS) hosting provider Virtual Machine Solutions LLC (VirMach), overlapping WHOIS registrant information (including names, email addresses, and phone numbers), consistent domain naming conventions, and the use of specific server-side components.

Advertisement. Scroll to continue reading.

The group has registered hundreds of domains typosquatting major email and storage service providers – including Yahoo (135 domains), Google (91), and Microsoft (70) – but also domains typosquatting the ministries of foreign affairs (MOFAs) in multiple countries, the Purdue University, Taiwan’s Democratic Progressive Party, as well as the aforementioned and other global government, think tank, and humanitarian organizations.

During the first half of 2021, the cyberespionage group registered at least 16 domains spoofing the Berlin-based non-profit organization MERICS, activity that coincided with the Chinese MOFA imposing sanctions on the think tank.

“In many cases, observed phishing pages mirrored legitimate email login portals for the specific organizations named above. We suspect that this means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties,” Recorded Future says.

Over the past three years, RedAlpha also showed constant focus on targeting Taiwanese entities, including through multiple domains imitating the American Institute in Taiwan (AIT), the de facto embassy of the United States of America in Taiwan.

The hacking group was also observed expanding its campaigns to target Brazilian, Portuguese, Taiwanese, and Vietnamese MOFAs, along with India’s National Informatics Centre (NIC).

“We identified multiple overlaps with previous publicly reported RedAlpha campaigns that allowed us to assess this is very likely a continuation of the group’s activity. Of note, in at least 5 instances the group appeared to re-register previously owned domains after expiry,” Recorded Future notes.

The cybersecurity company has identified a link between RedAlpha and a Chinese information security company – email addresses used to register spoofing domains appear in job listings and other web pages associated with the organization – and believes that the threat actor is operating out of China

“The group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity,” Recorded Future concludes.

Related: Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Related: Cyber-Espionage Campaigns Target Tibetan Community in India

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...