The hackers, known as RedAlpha, have targeted organizations such as Amnesty International, the International Federation for Human Rights, Radio Free Asia, the Mercator Institute for China Studies, and other think tanks and government and humanitarian groups around the world. The impact of the hackers remains unclear, but given the length of the campaign, analysts expect the digital espionage to have been broadly successful.
Recorded Future researchers have “high” confidence that RedAlpha is sponsored by the Chinese government, as all targets “within [its] strategic interests,” said Jon Condra, director of the organization’s strategic threats team.
Unsurprisingly, in recent years, the hacking group has been particularly interested in organizations in Taiwan, including the Democratic Progressive Party and the American Institute in Taiwan, the United States’ de facto embassy in democracy on the small island. The Beijing government claims Taiwan as part of Chinese territory.
RedAlpha has been active since 2015, if not publicly identified to 2018, in a Citizen Lab report. It has consistently targeted groups the Chinese Communist Party calls the “five poisons”: Tibetans, Uyghurs, Taiwanese, democracy activists and the Falun Gong. These are all domestic dissidents who, for various reasons, criticize and challenge the Communist Party’s hold on China. They also share international visibility and support.
Citizen Lab’s work first exposed RedAlpha’s campaign against the Tibetan community, government agencies and a media group. In the years since, Recorded Future has identified: Additionally cyber campaigns against Tibetans, and last year a report of PricewaterhouseCoopers said the group is expanding its focus to include individuals, vulnerable ethnic groups, community organizations and an increasing number of government agencies.
What’s especially interesting about these new findings is that RedAlpha still works with the same simple and cheap playbook it used years ago. The latter spying was linked to previous campaigns because the group reused many of the same domains, IP addresses, tactics, malware, and even domain registration information that has been publicly identified by cybersecurity experts for years.