The hackers, known as RedAlpha, have targeted organizations including Amnesty International, the International Federation for Human Rights, Radio Free Asia, Mercator China Research Institute, and private organizations as well as government and humanitarian groups around the world. The impact of the hackers is still unclear, but judging from the sheer length of the campaign, analysts expect that digital espionage, broadly speaking, has been successful.
The Future researchers are noted to have “high” confidence that RedAlpha is funded by the Chinese government because all the goals “are within [its] Jon Condra, director of the organization’s strategic threats team, said.
Perhaps unsurprisingly, the hacking group over the past few years has been particularly interested in organizations in Taiwan, including the Democratic Progressive Party and the American Institute in Taiwan, which is the de facto U.S. embassy. economy on a small democratic island. The government in Beijing claims Taiwan as part of Chinese territory.
RedAlpha has been active since at least 2015, although it is not public determined until 2018, in a report by Citizen Lab. It has consistently targeted groups that the Chinese Communist Party calls the “five poisons”: Tibetans, Uighurs, Taiwanese, democracy activists, and Falun Gong. All of these include domestic dissidents who, for various reasons, criticize and challenge the Communist Party’s grip on China. They also share international visibility and support.
Citizen Lab’s work first uncovers RedAlpha’s campaign against the Tibetan community, government agencies and a media group. In the years since, the Recorded Future has identified add cyber campaigns against the Tibetans, and last year a report from PricewaterhouseCoopers indicates that the consortium is expanding its focus to include individuals, vulnerable ethnic groups, civil society organizations and an increasing number of government agencies.
What’s particularly interesting about these new findings is that RedAlpha is still working with the same simple and inexpensive playbook it used years ago. In fact, this latest espionage group is related to previous campaigns because the group reused many domains, IP addresses, tactics, malware, and even domain registration information that had been stolen. publicly identified cybersecurity experts for many years.