A hacking group backed by the Chinese government has been targeting politicians and human rights groups for the last three years, a new report claims. RedAlpha has been carrying out espionage, theft and surveillance while its operatives lurk “quietly” inside affected systems, the study says.
The report from cybersecurity company Recorded Future found multiple instances of RedAlpha acting to register and weaponise hundreds of domains and in most cases this involved spoofing organisations working in fields considered “strategic interests of the Chinese government”.
This included the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT) and other global government, think tank and humanitarian organisations.
The report also contains evidence of RedAlpha spoofing the domain names of political, government and think tank organisations operating in Taiwan, which Recorded Future says is being done in a bid to gather political intelligence for the Chinese government. This is based on the fact the target list discovered during the research is “consistently in line with the interests of the Chinese Communist Party”. Tensions around Taiwan – which China has long sought to bring under its control – have heightened in recent weeks, following a visit to the country by US House of Representatives speaker Nancy Pelosi.
“In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organisations,” Recorded Future’s report states. “RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organisations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans and other ethnic and religious minority groups in China.”
A Chinese government spokesperson quoted by MIT Technology Review said that the country opposes all cyber attacks, adding it would “never encourage, support, or connive” to make them happen.
Chinese hackers ‘not on the hunt for glory’
Shelly Kramer, principal analyst and founding partner at Futurum Research, says such attacks are not new but remain deeply worrying. “Chinese hackers are known for their stealth, and it is because they’re not on the hunt for glory,” she says. This sets them apart from ransomware gangs and other hacking groups, which are often quick to publicise their activities and taunt victims on social media.
Kramer continues: “Chinese hackers engage in highly targeted attacks, are incredibly patient and they want access for as long as they can remain undiscovered.” She adds that they are known to pay close attention to published vulnerabilities, scanning for unpatched systems and very commonly exploiting vulnerabilities in Microsoft Office and other commonly used platforms.
In most cases these attacks come in through email and phishing attempts, prompting Kramer to say organisations and individuals need to be cautious when it comes to attachments but they also work by spoofing domains for us in credential-theft campaigns.
Often they’ll imitate a well-known email service provider and spoof specific organisations during the campaign. There was a significant increase in the volume of domains registered by the group last year, according to the report, up to about 350 domain names.
Among these were 135 domain names similar to Yahoo Mail, 91 Google-like domains and 70 linked to Microsoft-related mail services. Outside of email there were also a large number of domains linked to humanitarian, think tank and government organisations.
They then created phishing pages that mirrored legitimate email login portals for the specific organisations being targeted or mimicked. “We suspect that this means they were intended to target individuals directly affiliated with these organisations rather than simply imitating these organisations to target other third parties,” the report authors claim.
“In other cases, the phishing pages used generic login pages for popular mail providers and the intended targeting was ambiguous. The group has used basic PDF files containing links to the identified phishing sites, typically stating that a user needs to click the link to preview or download files.”
State-backed cybercriminals an ongoing problem for businesses
Kramer says the hacks are ongoing and much of the data gathered by hacking groups is then made available to buy on the dark web. In one example cited by Recorded Future, a large leak of 3.2 billion passwords contained 1.5 million records tied to US government email services.
“It’s a big problem and one that isn’t going away,” she says. “Unfortunately, many of the organisations targeted, especially government institutions, don’t always have the most up-to-date cybersecurity protections in place and their IT teams may or may not be using state-of-the-art threat detection solutions.
“Equally important, data from IBM shows that it usually takes enterprises almost a year before they knew they had been attacked and eventually learned to contain it.”
Kramer says a survey conducted by Forturum revealed that organisations are operating without utilising security dashboards or having full-time, round-the-clock, security protocols in place. “What is ironic and not at all surprising is that those operating without those protections in place believe their organisations have not been breached, those operating with those protections in place know very well that cyberattacks happen on a daily basis — because they can see and prevent them,” she says.
When it comes to security, the reality is that the human element is the weakest element and the easiest for hackers to compromise, Kramer adds. “Credential theft, insider threats, email/SMS scams, social engineering — all are designed to trick humans into clicking a link, downloading something, sharing something — and they work,” she says. “That’s why [a] zero-trust approach, confidential computing and other solutions are and should be top of mind for organisations today. The threat is not going to abate in any way.”
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.