Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers

A
Chinese
state-sponsored
threat
activity
group
named

RedAlpha

has
been
attributed
to
a
multi-year
mass
credential
theft
campaign
aimed
at
global
humanitarian,
think
tank,
and
government
organizations.

“In
this
activity,
RedAlpha
very
likely
sought
to
gain
access
to
email
accounts
and
other
online
communications
of
targeted
individuals
and
organizations,”
Recorded
Future

disclosed

in
a
new
report.

A
lesser-known
threat
actor,
RedAlpha
was
first

documented

by
Citizen
Lab
in
January
2018
and
has
a
history
of
conducting
cyber
espionage
and
surveillance
operations
directed
against
the
Tibetan
community,
some
in
India,
to
facilitate
intelligence
collection
through
the
deployment
of
the

NjRAT
backdoor
.

“The
campaigns
[…]
combine
light
reconnaissance,
selective
targeting,
and
diverse
malicious
tooling,”
Recorded
Future

noted

at
the
time.

Since
then,
malicious
activities
undertaken
by
the
group
have
involved
weaponizing
as
many
as
350
domains
that
spoof
legitimate
entities
like
the
International
Federation
for
Human
Rights
(FIDH),
Amnesty
International,
the
Mercator
Institute
for
China
Studies
(MERICS),
Radio
Free
Asia
(RFA),
and
the
American
Institute
in
Taiwan
(AIT),
among
others.

The
adversary’s
consistent
targeting
of
think
tanks
and
humanitarian
organizations
over
the
past
three
years
falls
in
line
with
the
strategic
interests
of
the
Chinese
government,
the
report
added.

The
impersonated
domains,
which
also
include
legitimate
email
and
storage
service
providers
like
Yahoo!,
Google,
and
Microsoft,
are
subsequently
used
to
target
proximate
organizations
and
individuals
to
facilitate
credential
theft.

Attack
chains
start
with
phishing
emails
containing
PDF
files
that
embed
malicious
links
to
redirect
users
to
rogue
landing
pages
that
mirror
the
email
login
portals
for
the
targeted
organizations.

“This
means
they
were
intended
to
target
individuals
directly
affiliated
with
these
organizations
rather
than
simply
imitating
these
organizations
to
target
other
third
parties,”
the
researchers
noted.

Alternatively,
the
domains
used
in
the
credential-phishing
activity
have
been
found
hosting
generic
login
pages
for
popular
email
providers
such
as
Outlook,
alongside
emulating
other
email
software
such
as
Zimbra
used
by
these
specific
organizations.

In
a
further
sign
of
the
campaign’s
evolution,
the
group
has
also
impersonated
login
pages
associated
with
Taiwan,
Portugal,
Brazil,
and
Vietnam’s
ministries
of
foreign
affairs
as
well
as
India’s
National
Informatics
Centre
(NIC),
which
manages
IT
infrastructure
and
services
for
the
Indian
government.

The
RedAlpha
cluster
further
appears
to
be
connected
to
a
Chinese
information
security
company
known
as
Jiangsu
Cimer
Information
Security
Technology
Co.
Ltd.
(formerly
Nanjing
Qinglan
Information
Technology
Co.,
Ltd.),
underscoring
the
continued
use
of
private
contractors
by

intelligence


agencies

in
the
country.

“[The
targeting
of
think
tanks,
civil
society
organizations,
and
Taiwanese
government
and
political
entities],
coupled
with
the
identification
of
likely
China-based
operators,
indicates
a
likely
Chinese
state-nexus
to
RedAlpha
activity,”
the
researchers
said.

Leave a Reply

Your email address will not be published. Required fields are marked *