Multiple campaigns conducted by the likely Chinese state-sponsored threat activity group RedAlpha

guest · Aug 18, 2022

China-linked RedAlpha behind multi-year credential theft campaign
August 17, 2022

Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations.

Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd.” is now known as “Jiangsu Cimer Information Security Technology Co. Ltd.

“In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.” reads the report published by Recorded Future.
Click to expand...

The attack vector is phishing emails containing PDF files that embed malicious links that point to the phishing login pages.

“RedAlpha’s activity has expanded over the past several years to include credential-phishing campaigns spoofing ministries of foreign affairs in multiple countries.” continues the report. “We observed phishing pages imitating webmail login portals for Taiwan and Portugal’s MOFAs, as well as multiple domains spoofing Brazil and Vietnam’s MOFAs.”

“Based on these findings and wider activity examined, it is very likely that RedAlpha operators are located within the PRC. [...] “In the case of RedAlpha, the group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities.”
Click to expand...

Recorded Future: RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations

This report details multiple campaigns conducted by the likely Chinese state-sponsored threat activity group RedAlpha. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. Data sources include the Recorded Future® Platform, SecurityTrails, PolySwarm, DomainTools Iris, urlscan, and common open-source tools and techniques.

It will be of most interest to individuals and organizations with strategic and operational intelligence requirements relating to Chinese cyber threat activity, as well as global humanitarian, think tank, and government organizations. Prior to the publication of this report, Recorded Future notified all affected organizations of the identified activity to support incident response and remediation investigations.
Click to expand...

Log in or Sign up

Multiple campaigns conducted by the likely Chinese state-sponsored threat activity group RedAlpha

guest Guest

Log in or Sign up

Multiple campaigns conducted by the likely Chinese state-sponsored threat activity group RedAlpha

guest Guest

Useful Searches