A group of analysts and experts observed cyberespionage on military agencies and intelligence by the likely Chinese state-sponsored hacker group RedAlpha. According to the report, the hacker group has been working for about three years to break into the systems of think tank and humanitarian organizations that may be of interest to the Chinese government.
The group targets various government organizations, including the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), and the American Institute in Taiwan (AIT), among others.
According to the report, data sources for the analysis included Recorded Future® Platform, SecurityTrails, PolySwarm, DomainTools Iris, urlscan, and standard open-source tools and techniques.
RedAlpha behind the cyberespionage
The hackers are known as ‘RedAlpha’ whom the researchers associated with the Chinese government because the espionage target falls in line with the strategic interests of the Chinese Communist Party (CCP). The researchers found a link between RedAlpha and the Chinese information security company. The stolen information is also suspected of being useful for private companies in the People’s Republic of China (PRC) and Chinese intelligence agencies.
Stolen sensitive information
Information like emails, online communications and other critical information is suspected to be stolen in State-sponsored cyber espionage. Also, the group RedAlpha has been spoofing and registering domains that imitated humanitarian organizations. They spoofed domains of think tanks, including MERICS, FIDH, Amnesty International and RFA, among others. They employed sending PDF files with phishing links that needed to be clicked to see the downloaded files.
Extensive spoofing
The group’s activities against Taiwan in the past three years have led to increased suspicion over the aim of these cyberespionages in the hands of a small hacking group. RedAlpha has also been reported to have spoofed ministries of foreign affairs in several countries, created phishing pages that looked like webmail login portals for Taiwan and Portugal’s Ministry of Foreign Affairs (MOFAs), created domains for spoofing Brazil and Vietnam’s MOFAs and spoofing login pages for India’s National Informatics Centre (NIC).
Hackers registered over 350 domains in 2021
The increasing list of targets of this cyber espionage has also resulted in the loss of critical information of the AIT and the de facto embassy of the United States of America in Taiwan. It is reported that they stole the information by creating fake login pages and email providers such as Outlook. They spoofed email software like Zombra and registered over 350 domains in 2021. Other targets of this cyber espionage were Google, Yahoo, the America Chamber of Commerce and Purdue University.
Researchers ask users to secure networks
In the report, the researchers urged the users to take precautions by using strong passwords, keeping a good eye on their domains for abuse such as typosquat domains spoofing, spreading awareness, training in cybersecurity, protecting emails of high-profile individuals with Gmail’s Advanced Protection Program and configuring the Intrusion Detection Systems (IDS) to detect external connections from unknown IP addresses.
