Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Cyberspy Group ‘RedAlpha’ Targeting Governments, Humanitarian Entities

For the past three years, Chinese state-sponsored cyberespionage group RedAlpha has been observed targeting numerous government organizations, humanitarian entities, and think tanks.

For the past three years, Chinese state-sponsored cyberespionage group RedAlpha has been observed targeting numerous government organizations, humanitarian entities, and think tanks.

Also tracked as Deepcliff and Red Dev 3, the advanced persistent threat (APT) actor has been active since at least 2015, focused on intelligence collection, including the surveillance of ethnic and religious minorities, such as the Tibetan and Uyghur communities.

Since 2018, RedAlpha has been registering hundreds of domains spoofing global government, think tank, and humanitarian organizations, including Amnesty International, the American Institute in Taiwan (AIT), the International Federation for Human Rights (FIDH), the Mercator Institute for China Studies (MERICS), and Radio Free Asia (RFA), cybersecurity company Recorded Future reports.

The attacks, Recorded Future notes, fall in line with previously observed RedAlpha targeting of entities of interest to the Chinese Communist Party (CCP). Organizations in Taiwan were also targeted, likely for intelligence collection.

The purpose of the campaign has been the harvesting of credentials from the targeted individuals and organizations, to gain access to their email and other communication accounts.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China,” Recorded Future notes.

The cyberespionage group is known for the use of weaponized websites – which imitate well-known email service providers or specific organizations – as part of its credential-theft campaigns, but last year saw a spike in newly registered domains by the APT, at more than 350.

Characteristic to this activity was the use of resellerclub[.]com nameservers, the use of virtual private server (VPS) hosting provider Virtual Machine Solutions LLC (VirMach), overlapping WHOIS registrant information (including names, email addresses, and phone numbers), consistent domain naming conventions, and the use of specific server-side components.

The group has registered hundreds of domains typosquatting major email and storage service providers – including Yahoo (135 domains), Google (91), and Microsoft (70) – but also domains typosquatting the ministries of foreign affairs (MOFAs) in multiple countries, the Purdue University, Taiwan’s Democratic Progressive Party, as well as the aforementioned and other global government, think tank, and humanitarian organizations.

During the first half of 2021, the cyberespionage group registered at least 16 domains spoofing the Berlin-based non-profit organization MERICS, activity that coincided with the Chinese MOFA imposing sanctions on the think tank.

“In many cases, observed phishing pages mirrored legitimate email login portals for the specific organizations named above. We suspect that this means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties,” Recorded Future says.

Over the past three years, RedAlpha also showed constant focus on targeting Taiwanese entities, including through multiple domains imitating the American Institute in Taiwan (AIT), the de facto embassy of the United States of America in Taiwan.

The hacking group was also observed expanding its campaigns to target Brazilian, Portuguese, Taiwanese, and Vietnamese MOFAs, along with India’s National Informatics Centre (NIC).

“We identified multiple overlaps with previous publicly reported RedAlpha campaigns that allowed us to assess this is very likely a continuation of the group’s activity. Of note, in at least 5 instances the group appeared to re-register previously owned domains after expiry,” Recorded Future notes.

The cybersecurity company has identified a link between RedAlpha and a Chinese information security company – email addresses used to register spoofing domains appear in job listings and other web pages associated with the organization – and believes that the threat actor is operating out of China

“The group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity,” Recorded Future concludes.

Related: Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Related: Cyber-Espionage Campaigns Target Tibetan Community in India

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Cyberwarfare

While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea...