A China-linked APT group named RedAlpha is behind a long-running mass credential theft campaign aimed at organizations worldwide.
Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations.
Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd.” is now known as “Jiangsu Cimer Information Security Technology Co. Ltd.
“In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.” reads the report published by Recorded Future.
“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China.”
Since 2019, RedAlpha registering and weaponizing hundreds of domains that were spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations.
Experts also noticed that the attackers used domains spoofing major email and storage service providers like Yahoo (135 typosquat domains), Google (91 typosquat domains), and Microsoft (70 typosquat domains). The domains