A Chinese government-backed hacking group has been targeting politicians and human rights groups for three years, according to a new report. RedAlpha carried out espionage, theft and surveillance activities while its agents lurked “quietly” inside the affected systems, according to the study.
The report by cybersecurity firm Recorded Future found several instances of RedAlpha acting to register and militarize hundreds of domains and in most cases this involved spoofing organizations working in areas deemed to be “strategic government interests”. Chinese”.
This included the International Federation for Human Rights (FIDH), Amnesty International, Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), American Institute in Taiwan (AIT) and others. world governments, think tanks and humanitarian organizations. .
The report also contains evidence that RedAlpha has spoofed the domain names of political, government and think tank organizations operating in Taiwan, which Recorded Future says is done for the purpose of gathering political intelligence for the Chinese government. . This is based on the fact that the target list discovered during the research is “consistently in line with the interests of the Chinese Communist Party”. Tensions around Taiwan – which China has long sought to rein in – have escalated in recent weeks, following a visit to the country by US House of Representatives Speaker Nancy Pelosi.
“In this activity, RedAlpha most likely sought to gain access to the email accounts and other online communications of targeted individuals and organizations,” the Recorded Future report said. “The targeting and spoofing of humanitarian and human rights-related organizations such as Amnesty International and FIDH by RedAlpha is of particular concern given the human rights abuses reported by the CCP towards Uyghurs, Tibetans and other minority ethnic and religious groups in China.”
A spokesman for the Chinese government quoted by MIT Technology Review said the country opposes all cyberattacks, adding that it would “never encourage, support or connivance” for them to occur.
Chinese hackers ‘are not looking for glory’
Shelly Kramer, principal analyst and founding partner of Futurum Research, says such attacks are not new but remain deeply worrying. “Chinese hackers are known for their stealth, and that’s because they’re not looking for glory,” she says. This sets them apart from ransomware gangs and other hacking groups, which are often quick to publicize their activities and taunt victims on social media.
Kramer continues, “Chinese hackers are highly targeted attacks, incredibly patient, and they want access for as long as they can remain unknown.” She adds that they are known to pay close attention to published vulnerabilities, search for unpatched systems, and very commonly exploit vulnerabilities in Microsoft Office and other commonly used platforms.
Content from our partners
In most cases, these attacks come through emails and phishing attempts, prompting Kramer to say that organizations and individuals need to be careful about attachments, but they work. also by spoofing domains for us in credential theft campaigns.
Often they will imitate a well-known email service provider and spoof specific organizations during the campaign. There was a significant increase in the volume of domains registered by the group last year, according to the report, to around 350 domain names.
These included 135 domain names similar to Yahoo Mail, 91 Google-like domains and 70 related to Microsoft-related email services. Apart from email, there were also a large number of areas related to humanitarian organizations, think tanks and government.
They then created phishing pages that mirrored legitimate email login portals for the specific organizations targeted or impersonated. “We suspect this means they were intended to target individuals directly affiliated with these organizations rather than simply mimicking these organizations to target other third parties,” the report’s authors claim.
“In other cases, the phishing pages used generic login pages for popular email providers and the intended targeting was ambiguous. The group used basic PDFs containing links to identified phishing sites, indicating usually a user has to click on the link to preview or download files.
State-backed cybercriminals an ongoing problem for businesses
Kramer says hacks are happening and much of the data collected by hacking groups is then made available to be purchased on the dark web. In one example cited by Recorded Future, a major leak of 3.2 billion passwords contained 1.5 million records related to US government email services.
“It’s a big problem that’s not going away,” she said. “Unfortunately, many targeted organizations, especially government institutions, do not always have the most up-to-date cybersecurity protections and their IT teams may or may not use state-of-the-art threat detection solutions.
“Equally important, data from IBM shows that it typically takes companies almost a year before they know they’ve been attacked and ultimately learn how to contain it.”
Kramer says a survey conducted by Forturum found that organizations are operating without using security dashboards or having full-time, 24-hour security protocols in place. “Which is ironic and not dumb. surprisingly, those who operate without these protections in place believe that their organization has not been breached, those who operate with these protections in place know full well that cyberattacks happen daily – because they can see and warn them,” she said.
When it comes to security, the reality is that the human element is the weakest and easiest for hackers to compromise, adds Kramer. “Credential theft, insider threats, email/SMS scams, social engineering – all designed to trick humans into clicking a link, downloading something, sharing something – and they work,” she said. “That is why [a] Zero trust, confidential computing and other solutions are and should be a priority for organizations today. The threat will by no means diminish. »