Research (Insikt)

Back Despite Disruption: RedDelta Resumes Operations

Posted: 15th September 2020
By: Insikt Group®
Back Despite Disruption: RedDelta Resumes Operations

insikt-group-logo-updated-3.png

Insikt Group® researchers used proprietary Recorded Future Network Traffic Analysis and RAT controller detections, along with common analytical techniques, to continue tracking the activity of the suspected Chinese state-sponsored threat activity group RedDelta.

_Data sources include the Recorded Future® Platform, Farsight Security’s DNSDB, SecurityTrails, VirusTotal, Shodan, BinaryEdge, and common OSINT techniques. _

This report will be of greatest interest to network defenders in the private sector, public sector, and non-governmental organizations with a presence in Asia, as well as those interested in Chinese geopolitics.

Executive Summary

In the interim two-month period since previous Insikt Group reporting, RedDelta has largely remained unperturbed by the extensive public reporting on its targeting of the Vatican and other Catholic organizations. Despite taking basic operational security measures through changing the resolution status of command and control (C2) domains in the immediate aftermath of this reporting, the group’s tactics, techniques, and procedures (TTPs) remained consistent. RedDelta’s persistence is exemplified through resuming its targeting of both the Vatican and the Catholic Diocese of Hong Kong mail servers within two weeks of the report publication. More widely, there has been new activity that we attribute to the group in the form of PlugX samples featuring decoy documents themed around Catholicism, Tibet-Ladakh relations, and the United Nations General Assembly Security Council, as well as additional network intrusion activity targeting Myanmar government systems and two Hong Kong universities.

Key Judgments

  • RedDelta continues to operate in line with Chinese strategic priorities. This is further exemplified by the group’s continued targeting of the Vatican and Hong Kong Catholic Diocese, and the use of targeted decoy documents centered on topical geopolitical issues of concern to the People’s Republic of China (PRC), such as Catholicism within China and Tibet-Ladakh relations, in a manner consistent with cyberespionage operations.
  • The group’s reuse of publicly reported infrastructure and TTPs is likely indicative of a group experiencing operational success and highlights a pragmatic approach to operational security, with RedDelta willing to continue to use publicly known infrastructure as long as access is maintained.

Background

On July 28, 2020, Insikt Group published research identifying that the Vatican and the Catholic Diocese of Hong Kong were among several Catholic Church-related organizations targeted by the suspected Chinese-state sponsored threat activity group RedDelta. This series of suspected network intrusions also targeted the Hong Kong Study Mission to China and The Pontifical Institute for Foreign Missions (PIME), Italy. Insikt Group assessed that the targeting of entities related to the Catholic church is likely indicative of Communist Party of China (CCP) objectives in consolidating control over the “underground” Catholic church, “sinicizing religions” in China, and diminishing the perceived influence of the Vatican within China’s Catholic community.

In addition to the targeting of entities related to the Catholic Church, Insikt Group also identified network intrusions impacting law enforcement and government entities in India, a government organization in Indonesia, and other unidentified targets across Myanmar, Hong Kong, and Australia. In this activity the group used multiple malware variants, including a customized PlugX variant referred to as “RedDelta PlugX,” Cobalt Strike Beacon, and Poison Ivy.

Threat Analysis

RedDelta Cleaning Up Post-Publication

Following the publication of the original RedDelta report on July 28, 2020, the group took a number of evasive steps related to the infrastructure used in the intrusions, including changing IP resolutions across several of the identified command and control (C2) domains. For example, less than one day after publication of the RedDelta research, all of the C2 subdomains identified within the “Poison Ivy/Cobalt Strike” cluster stopped resolving.

reddelta-cyber-threat-operations-2-1.png.jpg Table 1: “Poison Ivy Cluster” domains that stopped resolving the day after report publication.

Additionally, the hosting IP for the PlugX C2 domain cabsecnow[.]com was switched from 167.88.180[.]32 to 103.85.24[.]149 on August 3, 2020. However, this was not the case for all of the identified infrastructure. Many of the PlugX C2 servers remained live and continued to be used across several of the intrusions identified within the initial report. This contrast highlights the group’s willingness to continue to use publicly known infrastructure as long as access is maintained.

RedDelta Resumes Its Targeting of the Vatican and Hong Kong Catholic Diocese

reddelta-cyber-threat-operations-3-1.png Figure 1: Network traffic between Catholic Diocese of Hong Kong and RedDelta C2 infrastructure.

In analyzing communications between targeted organizations and RedDelta C2 infrastructure using Recorded Future Network Traffic Analysis, we identified that the network communications between Catholic church organizations ceased in the immediate aftermath of the report publication. However, this was short-lived, and within 10 days, the group returned to its targeting of the Hong Kong Catholic Diocese mail server, and within 14 days, a Vatican mail server. This is indicative of RedDelta’s persistence in maintaining access to these environments for gathering intelligence, in addition to the group’s aforementioned high risk tolerance.

On September 10, 2020, China's Foreign Ministry announced that the 2018 PRC-Holy See deal had been “implemented successfully”, with a renewal of the deal expected to be announced in the coming weeks. The timing of this announcement was preceded by RedDelta activity targeting the Vatican network dying down one week prior, and follows a Rome visit in late August from Chinese foreign minister Wang Yi, suggesting that the group’s intelligence tasking requirement may have been achieved or no longer required. In the interim period since our previous report, it is unclear whether the group was able to successfully regain access to the Vatican network. However, the attempts to do so, followed by the emergence of new RedDelta Catholic church-themed lure documents, again highlight the CCP's focus on gaining increased oversight of the Catholic community within China.

reddelta-cyber-threat-operations-12-1.png Figure 2: Timeline of Recent RedDelta activity. (Source: Recorded Future)

Further Targeting in Line With Chinese Strategic Interests

RedDelta continues to target organizations aligned with China’s strategic and geopolitical interests. In previous reporting, we linked a series of network intrusions and phishing attempts targeting several Catholic church organizations to the group, which took place in advance of talks between the two states ahead of the anticipated renewal of the 2018 China-Holy See deal. In the interim period, the group has used additional lures referencing Catholics within China, Tibet-Ladakh relations, and the United Nations General Assembly Security Council to attempt to load PlugX on target machines.

reddelta-cyber-threat-operations-4-1.png Figure 3: “History of Tibet-Ladakh Relations and Their Modern Implications” PlugX decoy document.

The first sample is loaded in a similar manner as the samples described within the previous RedDelta report. The first-stage DLL side-loading phase again uses a legitimate Microsoft Word executable to side-load a first-stage DLL loader, with both files initially stored inside a zip file. On this occasion, the zip file appears to have been stored on Google Drive, with the user likely directed to download it via a spearphishing link. Following the first DLL side-loading phase, an encrypted PlugX DAT payload is retrieved from http://103.85.24[.]161/8.dat.

reddelta-cyber-threat-operations-5-1.jpg Table 2: Contents of “History of Tibet-Ladakh Relations and Their Modern Implications.zip” for first stage DLL side-loading.

Unlike previously identified RedDelta PlugX samples, this one uses a legitimate Avast Proxy executable for the second DLL side-loading phase rather than the legitimate Adobe executable used in previously analyzed samples. When loaded into memory, the PlugX payload uses www.systeminfor[.]com for command and control — the same domain used across the Catholic church-themed PlugX samples. Across all four newly analyzed samples, the first stage DLL loader files share an identical, uncommon import hash and rich header with previously observed first stage RedDelta PlugX DLLs. The loaded PlugX payload also matches the custom RedDelta PlugX variant previously described, using RC4 encryption for C2 communications with the same hardcoded RC4 passphrase and configuration block decoding function.

In this sample, the user is shown a decoy document titled “History of Tibet-Ladakh Relations and Their Modern Implications,” as shown in Figure 3. Although the specific targeting of this sample is unclear, the inclusion of the reference to Ladakh is particularly interesting given the recent escalation in border tensions between China and India across this region, while Tibet remains a frequent target of Chinese state-sponsored cyberespionage. Similar to several other RedDelta samples, the content of the decoy document is taken from legitimate sources, in this case from a July 2020 article by the Asia-Pacific current affairs news site, The Diplomat.

reddelta-cyber-threat-operations-6-1.png Figure 4: “Advance version of the 2020 Report of the Secretary-General on Peacebuilding and Sustaining Peace” PlugX decoy document snippet.

The second PlugX sample is loaded in an almost identical manner to the Tibet-Ladakh one above, in this case retrieving the encrypted PlugX DAT payload from http://103.85.24[.]158/eeas.dat. The sample uses the same Adobe executable vulnerable to DLL side-loading seen in one of the Catholic church PlugX samples, and uses the Avast Proxy executable seen in the above Tibet-Ladakh sample for the second stage side-loading. On this occasion, the zip file appears to have been stored on Dropbox, and again, was likely delivered through spearphishing containing a malicious link. This PlugX sample again uses www.systeminfor[.]com for command and control.

reddelta-cyber-threat-operations-7-1.jpg Table 3: Contents of “Advance version of the 2020 Report of the Secretary-General on Peacebuilding and Sustaining Peace.zip” for first stage DLL side-loading.

The 18-page decoy document used in this sample (shown in Figure 4) purports to be an advanced unedited copy of the “2020 Report of the Secretary-General on Peacebuilding and Sustaining Peace” authored by the United Nations General Assembly Secretary-General. However, the legitimate report was most likely obtained from the United Nations website and doctored to add the “Advanced Unedited Edition” classification and to change the date. The legitimate report was released on August 4, 2020, ahead of the Seventy-Fifth session of the General Assembly due to take place in October. On its website, the UN states that the paper will be the principal input into the 2020 Review of the UN Peacebuilding Architecture and that the report is being prepared by a core group of UN entities.

While the specific target of this particular sample is unclear, the use of public documents based on topical geopolitical issues as decoys has previously been seen in multiple RedDelta lures. Additionally, the DAT payload filename seen in this sample, titled eeas.dat, is possibly in reference to the European External Action Service (EEAS), the diplomatic service and combined foreign and defence ministry of the European Union. Mustang Panda, a closely overlapping threat activity group, has also previously used a United Nations Security Council-themed lure in historic activity.

reddelta-cyber-threat-operations-8-1.png Figure 5: “How Catholics Adapt to Changes in China: A Missiological Perspective” (Left) and “Catholic Bishops call for urgent Cameroon peace talks” (Right) PlugX decoy document snippets.

The final two RedDelta PlugX samples again closely resemble the others, both retrieving the DAT payload from http://103.85.24[.]158/hk097.dat, before ultimately using quochoice[.]com for command and control. This domain is currently hosted on the 2EZ Network IP 167.88.177[.]179, with all of the newly identified infrastructure following a previously noted trend in favoured hosting providers. One of the samples, titled “How Catholics Adapt to Changes in China: A Missiological Perspective,” is taken from the writings of a Chinese Catholic scholar and focuses on Christianity in China, while the other is taken from a February 2020 article by Independent Catholic News. This again highlights RedDelta’s tasking in gathering intelligence on organizations and individuals associated with the Catholic church.

reddelta-cyber-threat-operations-9-1.jpg Table 4: Contents of “How Catholics Adapt to Changes in China A Missiological Perspective.zip” for first-stage DLL side-loading.

reddelta-cyber-threat-operations-10-1.jpg Table 5: Contents of “Catholic Bishops call for urgent Cameroon peace talks.zip” for first-stage DLL side-loading.

RedDelta in Myanmar and Hong Kong

In our previous RedDelta reporting, we observed a wide range of network communications between IP addresses assigned to Myanmar and Hong Kong telecommunication providers and RedDelta C2 infrastructure. Both Hong Kong and Myanmar have been historical targets of the closely overlapping group Mustang Panda (1,2). In the interim period, we identified PlugX (C2 103.85.24[.]149) network intrusions likely targeting government systems in Myanmar that we attribute to RedDelta. This included a VPN login portal for a Myanmar government electronic document management system. We believe RedDelta conducted this activity from August 4 (and possibly earlier) through at least September 2, 2020. Access to these systems would likely be a valuable intelligence source for accessing electronic documents stored on the system.

In addition to this new victim within Myanmar, we identified additional PlugX (C2 85.209.43[.]21 network intrusions likely targeting two Hong Kong universities. This IP address currently hosts the domain ipsoftwarelabs[.]com, which was previously noted within reporting on activity targeting Hong Kong using an older PlugX variant. While metadata alone does not confirm a compromise, we believe that both the high volume and repeated communications from hosts within these targeted organizations to these C2s are sufficient to indicate a likely intrusion.

Mitigations

  • Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking illicit connection attempts from — the external IP addresses and domains listed in Appendix A.
  • Ensure system configuration (including access control) for both internally and externally accessible systems is properly evaluated and that strong passwords are employed on all systems.
  • Practice network segmentation and ensure special protections exist for sensitive information, such as multi-factor authentication and extremely restricted access and storage on systems only accessible via an internal network.
  • Disable basic and legacy authentication where possible, as these can allow attackers to bypass in-place security measures.
  • Keep all software and applications up to date — in particular, operating systems, antivirus software, and core system utilities.
  • Filter email correspondence and scrutinize attachments for malware.
  • Employ host-based controls; one of the best defenses and warning signals to thwart attacks is to conduct client-based host logging and intrusion detection capabilities.
  • Implement basic incident response and detection deployments and controls like network IDS, netflow collection, host logging, and web proxy, alongside human monitoring of detection sources.

Outlook

RedDelta’s reuse of publicly reported infrastructure and TTPs highlights a contrast in risk appetite across Chinese state-sponsored threat activity groups. Whereas some groups remain heavily active despite extensive public reporting (such as APT41 and RedDelta), others drastically change behaviours or reduce activity in response to public reporting, such as APT3. In all cases, the plausible deniability offered by Computer Network Exploitation (CNE) operations leads the PRC to regularly deny any involvement in such activity (1,2), including in the RedDelta case, despite the historical body of evidence.

Given the continued RedDelta activity despite extensive public reporting, we expect the group to continue operating with a high operational tempo with minor tweaks in TTPs. In previous reporting, we highlighted the group’s targeting of entities such as religious organizations and non-governmental organizations (NGOs), which often lack the ability or will to adequately invest in security and detection measures. This likely further fuels the group’s willingness to reuse publicly known infrastructure and TTPs.

Related