A hacking group linked to China has spent the last three years targeting human rights organizations, think tanks, news media, and agencies of multiple foreign governments, according to a revealing new report from the cybersecurity firm Recorded Future.
The report, shared exclusively with MIT Technology Review, offers new clues about how private contractors and front companies operating with relatively few resources can run long-standing hacking operations and succeed against high-value targets with crude but effective tactics. By using private-sector hackers, experts say, the Chinese government gains the ability to hit more espionage targets—and frees up resources within intelligence and military agencies to carry out more advanced hacking. The operation also hints at a widespread and persistent failure among vulnerable institutions to implement even basic cybersecurity defenses.
The hackers, known as RedAlpha, have taken aim at organizations including Amnesty International, the International Federation for Human Rights, Radio Free Asia, the Mercator Institute for China Studies, and other think tanks and government and humanitarian groups around the world. The hackers’ impact remains unclear, but judging from the sheer length of the campaign, analysts expect that the digital espionage has, broadly speaking, seen success.
Recorded Future researchers have “high” confidence that RedAlpha is sponsored by the Chinese government as all of the targets “fall within [its] strategic interests,” says Jon Condra, director of the organization’s strategic threats team.
Perhaps unsurprisingly, the hacking group has over the past few years been particularly interested in organizations in Taiwan, including the Democratic Progressive Party and the American Institute in Taiwan, which is the de facto United States embassy in the small island democracy. The government in Beijing claims Taiwan as part of Chinese territory.
RedAlpha has been active since at least 2015, though it wasn’t publicly identified until 2018, in a report by Citizen Lab. It has consistently targeted groups that the Chinese Communist Party calls the “five poisons”: Tibetans, Uyghurs, Taiwanese, democracy activists, and the Falun Gong. All of these include domestic dissidents who, for various reasons, criticize and challenge the Communist Party’s grip on China. They also share international visibility and support.
Citizen Lab’s work first uncovered RedAlpha’s campaign against the Tibetan community, government agencies, and a media group. In the years since, Recorded Future has identified additional cyber campaigns against Tibetans, and last year a report from PricewaterhouseCoopers indicated that the group is expanding its focus to include individuals, vulnerable ethnic groups, civil society organizations, and a rising number of government agencies.
What’s particularly interesting about these new findings is that RedAlpha is still operating with the same simple and inexpensive playbook that it used years ago. In fact, this latest slate of espionage was linked to previous campaigns because the group reused many of the same domains, IP addresses, tactics, malware, and even domain registration information that has been publicly identified by cybersecurity experts for years.
“If it’s not broken, don’t change it,” Condra says. RedAlpha’s tactics are so simple and straightforward that Condra describes its work as espionage likely conducted on “a tight budget”—but in this case at least, simple can be pretty effective. “This is probably not the most well-resourced group,” he says. “They may want to cut corners and save some money when they register domains or acquire hosting. If there are campaigns they do with tactics that seem to work regardless of public exposure, there is no reason for them to change. It works and it’s cost effective.”
More specifically, RedAlpha has created and weaponized hundreds of fake, malicious domains disguised as their targets in an effort to steal usernames and passwords. “I’m willing to bet this is a pretty effective tactic for them,” Condra says. Researchers say this is likely due to poor adoption of basic security safeguards by organizations in their crosshairs, which creates a low bar to entry for the hackers.
“There are a lot of organizations that have not implemented multifactor authentication,” Condra adds. “That’s even more true on the government side in countries that move slower, have tighter budgets, and have more institutional resistance to change. We wouldn’t see RedAlpha doing this over the course of three years if they weren’t getting something out of it from their targets.” (Multifactor authentication is a cybersecurity technology that prevents hackers from taking over an account even if they have stolen a password; it is widely recommended and relatively easy to implement, but is often pushed aside for other priorities.)
As tensions continue to increase between the United States and China over Taiwan, analysts say, the hackers were likely conducting espionage with the goal of producing political intelligence. The group also impersonated government agencies from India, Brazil, Vietnam, and Portugal.
China is widely considered to be one of the world’s most active and highly capable cyber powers, alongside the United States. While it has hackers in its intelligence and military agencies, China has also reportedly used private contractors like RedAlpha to conduct cyber-espionage operations, according to multiple American indictments.
Significant clues point to RedAlpha’s connections to important state groups. Shared details on registration of malicious domains connect the group to an individual who once said he was a member of the Green Army, China’s first underground hacking group, dating back to 1997. The Green Army, in fact, is one of the most important groups in the history of Chinese hacking; an alliance of several thousand Chinese nationalist hackers who targeted foreign websites, the organization gave rise to some of the country’s most prominent hackers, and parts of the faction evolved into major private sector cybersecurity firms still active today.
What’s more, an email address used to register several of RedAlpha’s malicious domains across multiple espionage campaigns has been connected to a Chinese company that works with numerous government-owned companies, as well as the People’s Liberation Army University of Science and Technology, an elite state-run institution focused on researching high-tech Chinese military capabilities. Now known as Jiangsu Cimer Information Security Technology Co., the company provides defensive and offensive cybersecurity products. Jiangsu Cimer did not respond to a request for comment.
“This strategy allows [the Chinese government] to outsource some of the lower-hanging fruit, the simple stuff that still needs to get done,” Condra says. “But this doesn’t necessarily need to be done by the most professional operators in China. They don’t need to burn the most valuable, advanced tools on low-level campaigns.”
When reached for comment, a Chinese government spokesperson said the country opposes cyber attacks and “will never encourage, support, or connive at” them.