The hackers, known as RedAlpha, have taken aim at organizations including Amnesty International, the International Federation for Human Rights, Radio Free Asia, the Mercator Institute for China Studies, and other think tanks and government and humanitarian groups around the world. The hackers’ impact remains unclear, but judging from the sheer length of the campaign, analysts expect that the digital espionage has, broadly speaking, seen success.
Recorded Future researchers have “high” confidence that RedAlpha is sponsored by the Chinese government as all of the targets “fall within [its] strategic interests,” says Jon Condra, director of the organization’s strategic threats team.
Perhaps unsurprisingly, the hacking group has over the past few years been particularly interested in organizations in Taiwan, including the Democratic Progressive Party and the American Institute in Taiwan, which is the de facto United States embassy in the small island democracy. The government in Beijing claims Taiwan as part of Chinese territory.
RedAlpha has been active since at least 2015, though it wasn’t publicly identified until 2018, in a report by Citizen Lab. It has consistently targeted groups that the Chinese Communist Party calls the “five poisons”: Tibetans, Uyghurs, Taiwanese, democracy activists, and the Falun Gong. All of these include domestic dissidents who, for various reasons, criticize and challenge the Communist Party’s grip on China. They also share international visibility and support.
Citizen Lab’s work first uncovered RedAlpha’s campaign against the Tibetan community, government agencies, and a media group. In the years since, Recorded Future has identified additional cyber campaigns against Tibetans, and last year a report from PricewaterhouseCoopers indicated that the group is expanding its focus to include individuals, vulnerable ethnic groups, civil society organizations, and a rising number of government agencies.
What’s particularly interesting about these new findings is that RedAlpha is still operating with the same simple and inexpensive playbook that it used years ago. In fact, this latest slate of espionage was linked to previous campaigns because the group reused many of the same domains, IP addresses, tactics, malware, and even domain registration information that has been publicly identified by cybersecurity experts for years.