Recorded Future details RedHotel, a prolific Chinese state-sponsored group targeting global organizations

New research published by Recorded Future’s Insikt Group identifies RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. The group’s operations span 17 countries in Asia, Europe, and North America from 2021 to 2023, targeting academia, aerospace, government, media, telecommunications, and research sectors. 

Particularly focused on Southeast Asia’s governments and private companies in specified sectors, RedHotel’s infrastructure for malware command-and-control, reconnaissance, and exploitation points to administration in Chengdu, China. Its methods align with other contractor groups linked to China’s Ministry of State Security (MSS), indicating a nexus of cyber talent and operations in Chengdu.

Research data revealed that the majority of observed victim organizations were government organizations, including prime ministers’ offices, finance ministries, legislative bodies, and interior ministries, aligning with the group’s likely espionage tasking. However, on some occasions, such as the group’s targeting of the Industrial Technology Research Institute ITRI in Taiwan, reported in July 2021, or of COVID-19 research, the likely motivation was industrial and economic espionage. 

The group’s historical targeting of the online gambling industry catering to the Chinese market is also indicative of wider trends across China-based cyber-espionage actors observed by Insikt Group and is likely in part intended to gather intelligence in support of wider crackdowns on online gambling by the Chinese government.

“We identified RedHotel employing a multi-tiered infrastructure network for malware command-and-control C2, reconnaissance, and exploitation, and observed likely administration of this infrastructure from China-based IP addresses geolocating to Chengdu, Sichuan province, China,” Recorded Future revealed in its latest research report. “Earlier industry findings on RedHotel activity also further corroborate that the group likely operates out of Chengdu.” 

Additionally, the report pointed out that RedHotel’s targeting purview, tooling, and modus operandi closely resemble the operations of other private contractor groups affiliated with China’s Ministry of State Security MSS, including other Chengdu-based threat activity groups, such as RedGolf aka APT41, Brass Typhoon. 

The research added that the well-documented activity of multiple MSS-linked contractors located in Chengdu, several of which have displayed close ties to local universities, provides evidence that the city is likely a hub of MSS-linked cyber talent development and operations. “Organizations can defend against RedHotel activity by prioritizing hardening and vulnerability patching of internet-facing appliances (particularly corporate VPN, mail server, and network devices), logging and monitoring of these devices, and implementing network segmentation to limit exposure and lateral movement potential to internal networks.”

Based on targeting trends, RedHotel likely operates with a mission of both intelligence gathering and economic espionage, the report said. The group has frequently targeted government organizations for traditional intelligence collection, but has also engaged in the targeting of COVID-19 research and technology R&D organizations. 

Last July, RedHotel likely compromised a US state legislature, with infrastructure linked to this organization observed regularly communicating with RedHotel-attributed ShadowPad and Cobalt Strike C2 IP addresses. RedHotel has operated two distinct infrastructure clusters, with one largely dedicated to reconnaissance and initial access operations and a second to maintaining long-term access to targeted networks using C2 servers.

Additionally, the group has been active since at least 2019 and employs a mixture of offensive security tools (such as Cobalt Strike and Brute Ratel), closed-source but shared capabilities (such as ShadowPad and Winnti), and bespoke tooling (such as Spyder and FunnySwitch) across campaigns.

To date, Insikt Group has observed ShadowPad being used by at least 13 distinct Chinese state-sponsored threat activity groups, including multiple groups associated with either the Chinese Ministry of State Security (MSS) or the People’s Liberation Army (PLA).

“RedHotel has been a frequent user of the custom modular backdoor ShadowPad since at least 2019. The group has also been one of the primary users of the bespoke packing mechanism ScatterBee (also known as ShadowShredder and PoppingBee) to obfuscate ShadowPad payloads, as has been well-documented in public reporting,” the research disclosed. 

Furthermore, “third-party reporting suggests that ShadowPad was potentially originally developed by RedGolf APT41, Brass Typhoon) operators, a group of contractors with ties to the MSS. RedGolf was also the first observed ShadowPad user from at least 2015 before the malware family began to be shared more widely across China state-sponsored groups from approximately 2019 onwards.”

Organizations must configure intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on, and upon review, consider blocking connection attempts to and from. It also ensures a risk-based approach for patching vulnerabilities, prioritizing high-risk vulnerabilities and those being exploited in the wild as determined through the Recorded Future Vulnerability Intelligence module. They must also ensure security monitoring and detection capabilities are in place for all external-facing services and devices.

Furthermore, organizations must practice network segmentation and ensure special protections exist for sensitive information, and monitor for domain abuse. Additionally, Recorded Future proactively detects malicious server configurations and provides means to block them in the C2 Security Control Feed. 

Recorded Future’s Insikt Group continues to track a wide range of Chinese state-sponsored threat actors conducting intelligence collection and economic espionage activity globally. “As a whole, People’s Republic of China (PRC)-affiliated cyber operations are conducted at a considerably greater scale and with a wider targeting scope compared to all other state-backed activity tracked by Recorded Future. Since at least 2019, RedHotel has exemplified this relentless scope and scale of wider PRC state-sponsored cyber-espionage activity through maintaining a high operational tempo and targeting public and private sector organizations globally,” it added.

It also disclosed that one of the RedHotel campaigns analyzed within this report employed the use of a stolen code signing certificate belonging to a Taiwanese gaming company and abused compromised Vietnamese government infrastructure for malware command-and-control of the Brute Ratel C4 offensive security tool. 

“This campaign showed RedHotel’s willingness to innovate and add additional tooling beyond its well-established toolset. As noted, we also observed RedHotel targeting a US state legislature using the ShadowPad and CobaltStrike malware families, indicating that the group’s government targeting extends beyond regional interests,” the research report added. “Based on historical precedent, we expect RedHotel to continue this activity unperturbed, with the group regularly displaying a high operational risk appetite in the face of public industry reporting.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.