For the past three years, Chinese state-sponsored cyberespionage group RedAlpha has been observed targeting numerous government organizations, humanitarian entities, and think tanks.
Also tracked as Deepcliff and Red Dev 3, the advanced persistent threat (APT) actor has been active since at least 2015, focused on intelligence collection, including the surveillance of ethnic and religious minorities, such as the Tibetan and Uyghur communities.
Since 2018, RedAlpha has been registering hundreds of domains spoofing global government, think tank, and humanitarian organizations, including Amnesty International, the American Institute in Taiwan (AIT), the International Federation for Human Rights (FIDH), the Mercator Institute for China Studies (MERICS), and Radio Free Asia (RFA), cybersecurity company Recorded Future reports.
The attacks, Recorded Future notes, fall in line with previously observed RedAlpha targeting of entities of interest to the Chinese Communist Party (CCP). Organizations in Taiwan were also targeted, likely for intelligence collection.
The purpose of the campaign has been the harvesting of credentials from the targeted individuals and organizations, to gain access to their email and other communication accounts.
“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China,” Recorded Future notes.
The cyberespionage group is known for the use of weaponized websites – which imitate well-known email service providers or specific organizations – as part of its credential-theft campaigns, but last year saw a spike in newly registered domains by the APT, at more than 350.
Characteristic to this activity was the use of resellerclub[.]com nameservers, the use of virtual private server (VPS) hosting provider Virtual Machine Solutions LLC (VirMach), overlapping WHOIS registrant information (including names, email addresses, and phone numbers), consistent domain naming conventions, and the use of specific server-side components.
The group has registered hundreds of domains typosquatting major email and storage service providers – including Yahoo (135 domains), Google (91), and Microsoft (70) – but also domains typosquatting the ministries of foreign affairs (MOFAs) in multiple countries, the Purdue University, Taiwan’s Democratic Progressive Party, as well as the aforementioned and other global government, think tank, and humanitarian organizations.
During the first half of 2021, the cyberespionage group registered at least 16 domains spoofing the Berlin-based non-profit organization MERICS, activity that coincided with the Chinese MOFA imposing sanctions on the think tank.
“In many cases, observed phishing pages mirrored legitimate email login portals for the specific organizations named above. We suspect that this means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties,” Recorded Future says.
Over the past three years, RedAlpha also showed constant focus on targeting Taiwanese entities, including through multiple domains imitating the American Institute in Taiwan (AIT), the de facto embassy of the United States of America in Taiwan.
The hacking group was also observed expanding its campaigns to target Brazilian, Portuguese, Taiwanese, and Vietnamese MOFAs, along with India’s National Informatics Centre (NIC).
“We identified multiple overlaps with previous publicly reported RedAlpha campaigns that allowed us to assess this is very likely a continuation of the group’s activity. Of note, in at least 5 instances the group appeared to re-register previously owned domains after expiry,” Recorded Future notes.
The cybersecurity company has identified a link between RedAlpha and a Chinese information security company – email addresses used to register spoofing domains appear in job listings and other web pages associated with the organization – and believes that the threat actor is operating out of China
“The group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity,” Recorded Future concludes.