A Chinese state-sponsored threat activity group named RedAlpha has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations.
“In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations,” Recorded Future disclosed in a new report.
A lesser-known threat actor, RedAlpha was first documented by Citizen Lab in January 2018 and has a history of conducting cyber espionage and surveillance operations directed against the Tibetan community, some in India, to facilitate intelligence collection through the deployment of the NjRAT backdoor.
“The campaigns […] combine light reconnaissance, selective targeting, and diverse malicious tooling,” Recorded Future noted at the time.
Since then, malicious activities undertaken by the group have involved weaponizing as many as 350 domains that spoof legitimate entities like the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), and the American Institute in Taiwan (AIT), among others.
The adversary’s consistent targeting of think tanks and humanitarian organizations over the past three years falls in line with the strategic interests of the Chinese government, the report added.
The impersonated domains, which also include legitimate email and storage service providers like Yahoo!, Google, and Microsoft, are subsequently used to target proximate organizations and individuals to facilitate credential theft.
Attack chains start with phishing emails containing PDF files that embed malicious links to redirect users to rogue landing pages that mirror the email login portals for the targeted organizations.
“This means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties,” the researchers noted.
Alternatively, the domains used in the credential-phishing activity have been found hosting generic login pages for popular email providers such as Outlook, alongside emulating other email software such as Zimbra used by these specific organizations.
In a further sign of the campaign’s evolution, the group has also impersonated login pages associated with Taiwan, Portugal, Brazil, and Vietnam’s ministries of foreign affairs as well as India’s National Informatics Centre (NIC), which manages IT infrastructure and services for the Indian government.
The RedAlpha cluster further appears to be connected to a Chinese information security company known as Jiangsu Cimer Information Security Technology Co. Ltd. (formerly Nanjing Qinglan Information Technology Co., Ltd.), underscoring the continued use of private contractors by intelligence agencies in the country.
“[The targeting of think tanks, civil society organizations, and Taiwanese government and political entities], coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity,” the researchers said.