China-linked RedAlpha behind multi-year credential theft campaign

A China-linked APT group named RedAlpha is behind a long-running mass credential theft campaign aimed at organizations worldwide.

Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations.

Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd.” is now known as “Jiangsu Cimer Information Security Technology Co. Ltd.

“In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.” reads the report published by Recorded Future.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China.”

Since 2019, RedAlpha registering and weaponizing hundreds of domains that were spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations.

Experts also noticed that the attackers used domains spoofing major email and storage service providers like Yahoo (135 typosquat domains), Google (91 typosquat domains), and Microsoft (70 typosquat domains). The domains some cases were hosting fake login pages for popular email providers such as Outlook and Zimbra.

The attackers sent out phishing messages leading victims to phishing pages posing as legitimate email login portals. Experts believe attackers target individuals affiliated with the above organizations rather than imitating these organizations to target other third parties.

The attack vector is phishing emails containing PDF files that embed malicious links that point to the phishing login pages.

“RedAlpha’s activity has expanded over the past several years to include credential-phishing campaigns spoofing ministries of foreign affairs in multiple countries.” continues the report. “We observed phishing pages imitating webmail login portals for Taiwan and Portugal’s MOFAs, as well as multiple domains spoofing Brazil and Vietnam’s MOFAs.”

“Based on these findings and wider activity examined, it is very likely that RedAlpha operators are located within the PRC. Chinese intelligence services’ use of private contractors is also an established trend, with groups such as APT3, APT10, RedBravo (APT31), and APT40 all identified as contractors working for China’s Ministry of State Security (MSS) (1,2,3,4).” concludes the report. “In the case of RedAlpha, the group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RedAlpha)

[adrotate banner=”5″]

[adrotate banner=”13″]