RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report details multiple campaigns conducted by the likely Chinese state-sponsored threat activity group RedAlpha. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. Data sources include the Recorded Future® Platform, SecurityTrails, PolySwarm, DomainTools Iris, urlscan, and common open-source tools and techniques. It will be of most interest to individuals and organizations with strategic and operational intelligence requirements relating to Chinese cyber threat activity, as well as global humanitarian, think tank, and government organizations. Prior to the publication of this report, Recorded Future notified all affected organizations of the identified activity to support incident response and remediation investigations.
In parallel with regular reporting from humanitarian and media organizations regarding human rights abuses orchestrated by the Chinese Communist Party (CCP), Recorded Future regularly observes Chinese state-sponsored cyber-espionage and surveillance campaigns likely intended to facilitate intelligence collection used in support of such abuses. Among these, we continue to track activity we attribute to the likely Chinese state-sponsored threat activity group RedAlpha (Deepcliff, Red Dev 3), as we previously reported in June 2018. Since this time, we have continued to observe the group engaging in mass credential theft activity primarily targeting humanitarian, think tank, and government organizations globally.
Over the past 3 years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations that fall within the strategic interests of the Chinese government. Historically, the group has also engaged in direct targeting of ethnic and religious minorities, including individuals and organizations within Tibetan and Uyghur communities. As highlighted within this report, in recent years RedAlpha has also displayed a particular interest in spoofing political, government, and think tank organizations in Taiwan, likely in an effort to gather political intelligence.
- RedAlpha is likely attributable to contractors conducting cyber-espionage activity on behalf of the Chinese state. This assessment is based on the group’s consistent targeting in line with the strategic interests of the CCP, historical links to personas and a private company situated in the People’s Republic of China (PRC), and the wider regularly documented use of private contractors by Chinese intelligence agencies.
- In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.
- RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China.
Although it has been controlling large amounts of operational infrastructure and maintaining a high operational tempo since at least 2015, there has been minimal public reporting on RedAlpha activity over the past several years. First identified by CitizenLab in 2018, the group was observed conducting credential-phishing operations targeting the Tibetan community and other ethnic minorities, as well as social movements, a media group, and government agencies in South and Southeast Asia. In June 2018, we published activity linked to 2 RedAlpha campaigns that also targeted the Tibetan community to ultimately deploy the open-source malware family NjRAT. These 2 campaigns overlapped with the CitizenLab reporting based on matching WHOIS registrant data, common targeting of the Tibetan community, and hosting overlaps. RedAlpha activity explored in this report is also referenced in PWC’s 2021 year in review, in which they track the group under the name Red Dev 3.
Historical RedAlpha activity targeted multiple ethnic and religious minority communities that have been persecuted within China, including Tibetans, Uyghurs, and Falun Gong supporters. More generally, organizations and individuals associated with ethnic and religious minorities within the PRC, particularly those within the so-called “Five Poisons”, have been a frequent target for cyber threat activity groups linked to Chinese intelligence agencies over many years. This has included RedDelta (Mustang Panda, TA416) targeting the Vatican and organizations linked to Tibetan and Hong Kong Catholic communities; Chinese Ministry of State Security (MSS) contractors targeting emails belonging to Chinese Christian religious figures; APT41 (Barium) conducting reconnaissance on activists and other individuals associated with Hong Kong’s pro-democracy movement; and the use of zero-day vulnerabilities to target members of the Uyghur community.
Over the past 3 years, Recorded Future has observed RedAlpha continuing to conduct credential-phishing activity using large clusters of operational infrastructure to support campaigns. Over this period, the group displayed a consistent set of tactics, techniques, and procedures (TTPs). In late 2019 and early 2020, the group likely shifted away from older infrastructure TTPs exhibited in public reporting, such as the registration of domains through GoDaddy and hosting on Choopa (Vultr) and Forewin Telecom infrastructure, and toward those described in the following section.
RedAlpha Infrastructure Tactics, Techniques, and Procedures
Since at least 2015, RedAlpha has consistently registered and weaponized large amounts of domains for use in credential-theft campaigns. These domains typically imitate well-known email service providers and spoof specific organizations that are either directly targeted in RedAlpha activity or that can be used to impersonate those organizations in activity targeting proximate organizations and individuals. In 2021, we noted a significant uptick in the volume of domains registered by the group, totaling over 350. Over this period, the group’s infrastructure TTPs were characterized by the following criteria that allowed us to cluster this activity together:
- Use of *resellerclub[.]com nameservers
- Use of the virtual private server (VPS) hosting provider Virtual Machine Solutions LLC (VirMach)
- Consistent domain naming conventions, such as the use of “mydrive-”, “accounts-”, “mail-”, “drive-”, and “files-” strings across hundreds of domains
- Overlapping WHOIS registrant names, email addresses, phone numbers, and organizations
- The use of specific server-side technology components and fake HTTP 404 Not Found errors
Outside of generic spoofing of major email and storage service providers like Yahoo (135 typosquat domains), Google (91 typosquat domains), and Microsoft (70 typosquat domains), we observed the use of large numbers of domains typosquatting humanitarian, think tank, and government organizations including:
- Radio Free Asia
- Mercator Institute for China Studies
- Amnesty International
- International Federation for Human Rights
- American Chamber of Commerce (including AmCham Taiwan)
- Purdue University
- India’s National Informatics Centre
- Taiwan’s Democratic Progressive Party
- American Institute in Taiwan
- Ministries of foreign affairs in multiple countries globally
In many cases highlighted over the following sections, observed phishing pages mirrored legitimate email login portals for the specific organizations named above. We suspect that this means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties. In other cases, the phishing pages used generic login pages for popular mail providers and the intended targeting was ambiguous. The group has used basic PDF files containing links to the identified phishing sites, typically stating that a user needs to click the link to preview or download files.
Targeting of Humanitarian Organizations and Think Tanks
As noted, RedAlpha has regularly registered domains imitating humanitarian organizations and think tanks, including MERICS, FIDH, Amnesty International, RFA, and multiple Taiwanese think tanks. Of particular note, the registration of at least 16 domains spoofing MERICS from early to mid-2021 coincided with the Chinese Ministry of Foreign Affairs (MOFA) imposing sanctions on the Berlin-based think tank in March 2021.
RedAlpha’s Consistent Focus on Taiwan
Over the past 3 years, we observed RedAlpha consistently register domains spoofing Taiwanese or Taiwan-based government, think tank, and political organizations. Notably, this included the registration of multiple domains imitating the AIT, the de facto embassy of the United States of America in Taiwan, during a time of increasing US-China tension regarding Taiwan over the past year. Similar to wider activity, these domains were used in credential-phishing activity using fake login pages for popular email providers such as Outlook, as well as emulating other email software such as Zimbra used by these particular organizations (see Figure 6). A sample list of typosquat domains seen spoofing Taiwanese organizations is included in Table 1.
RedAlpha’s Targeting of Ministries of Foreign Affairs and Embassies
As noted in PWC’s 2021 year-in-review report, RedAlpha’s activity has expanded over the past several years to include credential-phishing campaigns spoofing ministries of foreign affairs in multiple countries. We observed phishing pages imitating webmail login portals for Taiwan and Portugal’s MOFAs (see Figures 7 and 8), as well as multiple domains spoofing Brazil and Vietnam’s MOFAs. The previous section also highlighted consistent use of domains imitating the AIT. The group has also consistently spoofed login pages for India’s National Informatics Centre (NIC), which manages wider IT infrastructure and services for the Indian government.
Editor’s Note: This post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.