Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers

A Chinese state-sponsored threat activity group named
RedAlpha has been attributed to a multi-year mass credential
theft campaign aimed at global humanitarian, think tank, and
government organizations.

“In this activity, RedAlpha very likely sought to gain access to
email accounts and other online communications of targeted
individuals and organizations,” Recorded Future disclosed^[1]
in a new report.

A lesser-known threat actor, RedAlpha was first documented^[2]
by Citizen Lab in January 2018 and has a history of conducting
cyber espionage and surveillance operations directed against the
Tibetan community, some in India, to facilitate intelligence
collection by deploying the NjRAT backdoor^[3].

“The campaigns […] combine light reconnaissance, selective
targeting, and diverse malicious tooling,” Recorded Future noted^[4]
at the time.

Since then, malicious activities undertaken by the group have
involved weaponizing as many as 350 domains that spoof legitimate
entities like the International Federation for Human Rights (FIDH),
Amnesty International, the Mercator Institute for China Studies
(MERICS), Radio Free Asia (RFA), and the American Institute in
Taiwan (AIT), among others.

The adversary’s consistent targeting of think tanks and
humanitarian organizations over the past three years falls in line
with the strategic interests of the Chinese government, the report
added.

The impersonated domains, which also include legitimate email
and storage service providers like Yahoo!, Google, and Microsoft,
are subsequently used to target proximate organizations and
individuals to facilitate credential theft.

Attack chains start with phishing emails containing PDF files
that embed malicious links to redirect users to rogue landing pages
that mirror the email login portals for the targeted
organizations.

“This means they were intended to target individuals directly
affiliated with these organizations rather than simply imitating
these organizations to target other third parties,” the researchers
noted.

Alternatively, the domains used in the credential-phishing
activity have been found hosting generic login pages for popular
email providers such as Outlook, alongside emulating other email
software such as Zimbra used by these specific organizations.

In a sign of the campaign’s evolution, the group has also
impersonated login pages associated with Taiwan, Portugal, Brazil,
and Vietnam’s ministries of foreign affairs as well as India’s
National Informatics Centre (NIC^[5]), which manages IT
infrastructure and services for the Indian government.

The RedAlpha cluster further appears to be connected to a
Chinese information security company known as Jiangsu Cimer
Information Security Technology Co. Ltd. (formerly Nanjing Qinglan
Information Technology Co., Ltd.), underscoring the continued use
of private contractors by intelligence^[6]
agencies^[7]
in the country.

“[The targeting of think tanks, civil society organizations, and
Taiwanese government and political entities], coupled with the
identification of likely China-based operators, indicates a likely
Chinese state-nexus to RedAlpha activity,” the researchers
said.