Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Cyberspy Group ‘RedAlpha’ Targeting Governments, Humanitarian Entities

For the past three years, Chinese state-sponsored cyberespionage group RedAlpha has been observed targeting numerous government organizations, humanitarian entities, and think tanks.

For the past three years, Chinese state-sponsored cyberespionage group RedAlpha has been observed targeting numerous government organizations, humanitarian entities, and think tanks.

Also tracked as Deepcliff and Red Dev 3, the advanced persistent threat (APT) actor has been active since at least 2015, focused on intelligence collection, including the surveillance of ethnic and religious minorities, such as the Tibetan and Uyghur communities.

Since 2018, RedAlpha has been registering hundreds of domains spoofing global government, think tank, and humanitarian organizations, including Amnesty International, the American Institute in Taiwan (AIT), the International Federation for Human Rights (FIDH), the Mercator Institute for China Studies (MERICS), and Radio Free Asia (RFA), cybersecurity company Recorded Future reports.

The attacks, Recorded Future notes, fall in line with previously observed RedAlpha targeting of entities of interest to the Chinese Communist Party (CCP). Organizations in Taiwan were also targeted, likely for intelligence collection.

The purpose of the campaign has been the harvesting of credentials from the targeted individuals and organizations, to gain access to their email and other communication accounts.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China,” Recorded Future notes.

The cyberespionage group is known for the use of weaponized websites – which imitate well-known email service providers or specific organizations – as part of its credential-theft campaigns, but last year saw a spike in newly registered domains by the APT, at more than 350.

Characteristic to this activity was the use of resellerclub[.]com nameservers, the use of virtual private server (VPS) hosting provider Virtual Machine Solutions LLC (VirMach), overlapping WHOIS registrant information (including names, email addresses, and phone numbers), consistent domain naming conventions, and the use of specific server-side components.

The group has registered hundreds of domains typosquatting major email and storage service providers – including Yahoo (135 domains), Google (91), and Microsoft (70) – but also domains typosquatting the ministries of foreign affairs (MOFAs) in multiple countries, the Purdue University, Taiwan’s Democratic Progressive Party, as well as the aforementioned and other global government, think tank, and humanitarian organizations.

During the first half of 2021, the cyberespionage group registered at least 16 domains spoofing the Berlin-based non-profit organization MERICS, activity that coincided with the Chinese MOFA imposing sanctions on the think tank.

“In many cases, observed phishing pages mirrored legitimate email login portals for the specific organizations named above. We suspect that this means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties,” Recorded Future says.

Over the past three years, RedAlpha also showed constant focus on targeting Taiwanese entities, including through multiple domains imitating the American Institute in Taiwan (AIT), the de facto embassy of the United States of America in Taiwan.

The hacking group was also observed expanding its campaigns to target Brazilian, Portuguese, Taiwanese, and Vietnamese MOFAs, along with India’s National Informatics Centre (NIC).

“We identified multiple overlaps with previous publicly reported RedAlpha campaigns that allowed us to assess this is very likely a continuation of the group’s activity. Of note, in at least 5 instances the group appeared to re-register previously owned domains after expiry,” Recorded Future notes.

The cybersecurity company has identified a link between RedAlpha and a Chinese information security company – email addresses used to register spoofing domains appear in job listings and other web pages associated with the organization – and believes that the threat actor is operating out of China

“The group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity,” Recorded Future concludes.

Related: Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Related: Cyber-Espionage Campaigns Target Tibetan Community in India

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...