Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Reports
Technology & Solutions
Threat Landscape
Vulnerabilities

RedAlpha carries out multi-year credential theft campaign targeting human rights groups, federal agencies

August 17, 2022
RedAlpha carries out multi-year credential theft campaign targeting human rights groups, federal agencies

Recorded Future’s Insikt Group shares details of multiple Chinese state-sponsored cyber espionage and surveillance campaigns conducted by the RedAlpha threat group. These attacks are likely intended to facilitate intelligence collection to support such abuses, which have been identified through large-scale automated network traffic analytics and expert analysis.

Over the past three years, Recorded Future said in a report that it observed RedAlpha registering and weaponizing hundreds of domain spoofing organizations. Amongst the targeted organizations is the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations that fall within the strategic interests of the Chinese government. 

“Historically, the group has also engaged in direct targeting of ethnic and religious minorities, including individuals and organizations within Tibetan and Uyghur communities,” Recorded Future, a threat intelligence firm, identified. “As highlighted within this report, in recent years RedAlpha has also displayed a particular interest in spoofing political, government, and think tank organizations in Taiwan, likely in an effort to gather political intelligence.”

Recorded Future also observed that RedAlpha consistently registering domains spoofing Taiwanese or Taiwan-based government, think tank, and political organizations. “Notably, this included the registration of multiple domains imitating the AIT, the de facto embassy of the United States of America in Taiwan, during a time of increasing US-China tension regarding Taiwan over the past year. Similar to wider activity, these domains were used in credential-phishing activity using fake login pages for popular email providers such as Outlook, as well as emulating other email software such as Zimbra used by these particular organizations,” it added.

On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) concerning the active exploitation of multiple vulnerabilities against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. Cyber threat hackers may also target unpatched ZCS instances across government and private sector networks.

RedAlpha is likely attributable to contractors conducting cyber-espionage activity on behalf of the Chinese state. The current assessment is based on the group’s consistent targeting in line with the strategic interests of the CCP, historical links to personas and a private company situated in the People’s Republic of China (PRC), and the wider regularly documented use of private contractors by Chinese intelligence agencies. 

“Chinese intelligence services’ use of private contractors is also an established trend, with groups such as APT3, APT10, RedBravo (APT31), and APT40 all identified as contractors working for China’s Ministry of State Security (MSS),” according to the Recorded Future report. “In the case of RedAlpha, the group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity.”

The Recorded Future report said that in the activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations. “RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations, such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China,” it adds.

The report said that although it has been controlling large amounts of operational infrastructure and maintaining a high operational tempo since at least 2015, there has been minimal public reporting on RedAlpha activity over the past several years. 

“First identified by CitizenLab in 2018, the group was observed conducting credential-phishing operations targeting the Tibetan community and other ethnic minorities, as well as social movements, a media group, and government agencies in South and Southeast Asia,” according to the report. “In June 2018, we published activity linked to 2 RedAlpha campaigns that also targeted the Tibetan community to ultimately deploy the open-source malware family NjRAT. These 2 campaigns overlapped with the CitizenLab reporting based on matching WHOIS registrant data, common targeting of the Tibetan community, and hosting overlaps.”

Generally, organizations and individuals associated with ethnic and religious minorities within the PRC, particularly those within the so-called ‘Five Poisons,’ have been a frequent target for cyber threat activity groups linked to Chinese intelligence agencies over many years. “This has included RedDelta (Mustang Panda, TA416) targeting the Vatican and organizations linked to Tibetan and Hong Kong Catholic communities; Chinese Ministry of State Security (MSS) contractors targeting emails belonging to Chinese Christian religious figures; APT41 (Barium) conducting reconnaissance on activists and other individuals associated with Hong Kong’s pro-democracy movement; and the use of zero-day vulnerabilities to target members of the Uyghur community,” the report adds.  

Recorded Future has identified multiple overlaps with previous publicly reported RedAlpha campaigns that “allowed us to assess this is very likely a continuation of the group’s activity. Of note, in at least 5 instances the group appeared to re-register previously owned domains after expiry. An alternative hypothesis we considered is whether a separate actor registered these domains in an attempt to emulate RedAlpha activity and conduct similar credential-theft targeting in line with Chinese state interests,” it adds.

However, based on additional evidence linking this more recent activity to historically reported campaigns, “we believe that this is unlikely and that it instead constitutes a continuation of RedAlpha activity. The re-registration of previously owned domains may instead be a product of multiple factors such as the sheer volume of domains registered by the group, poor infrastructure management, and the repetitive nature of naming conventions used,” the report adds. 

Recorded Future assesses that Chinese state-sponsored groups continue to target dissident aggressively and minority groups and individuals, both domestically through state surveillance and internationally through cyber-enabled intrusion activity. “This targeting of sensitive and vulnerable communities, many of which have security budget and resources constraints, is particularly concerning,” it adds.

Based on the threat landscape, the Recorded Future report proposed measures to detect and mitigate activity associated with RedAlpha activity. It recommends configuring intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms to alert. Upon review, consider blocking connection attempts and using strong passwords.

The report also called for monitoring for domain abuse, such as typosquat domains spoofing organizations and vendors, and enforcing strong security awareness through interactive exercises, training users to recognize phishing emails and exercise caution when clicking on links or opening attachments in emails to make accounts less susceptible to unauthorized logins. It also suggests monitoring for unusual and anomalous account login patterns through methods such as monitoring for the unexpected use of anonymization services such as Tor or commercial VPNs.

In June, Recorded Future ​​identified several government entities in Latin America (LATAM) that have been affected by ransomware attacks, likely involving Russian or Russian-speaking hackers, beginning on or around April this year. The credibility of ransomware attacks on LATAM government entities is high, based on analysis of leaked sample data, threat actor indications, historical activities, patterns, and trends related to tracked ransomware operators and affiliates.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

AI for Energy - Opportunities for a Modern Grid and Clean Energy Economy (DoE)
US DOE rolls out initial assessment report on AI benefits and risks for critical energy infrastructure
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base