RedAlpha: Suspected Chinese hackers found targeting the Tibetan community

• Chinese threat actors have been targeting the Tibetan community for years.
• The attackers also targeted the website of the Office of His Holiness the Dalai Lama, the Sri Lankan defense ministry website and a Chinese car auction site.

A previously unknown China-linked cyberespionage group is suspected to be behind two attack campaigns targeting the Tibetan community over the past few years. The campaigns launched by the outfit, dubbed RedAlpha, include a combination of reconnaissance, diverse malicious tools and selective targeting.

The Tibetan community has been the target of numerous cyberespionage campaigns over the years. So far, they have been targeted by various Chinese threat groups including the Winnti Group, NetTraveler, LuckyCat, as well as other groups like MiniDuke and the Equation Group.

In mid-2017, campaigns were launched against the Tibetan community in India, according to security researchers at Recorded Future.

While the 2017 campaign saw attackers use a bespoke malware with a custom dropper and the NetHelp info-stealer, the 2018 campaign involved the hackers using the njRAT malware and a custom validator, indicating the campaign was highly targeted. The 2018 campaign also leveraged a down-scaled infrastructure, likely efforts to evade detection and avoid loss of proprietary tools.

RedAlpha’s evolution

The 2017 campaign involved a custom malware that came with both 32-bit and 64-bit versions. The first stage of the attack deployed a dropper and the next stage an infostealer that harvested data system data.

Recorded Future researchers discovered that RedAlpha’s C2 infrastructure was linked to a phishing campaign that previously targeted Tibetans between 2016 and 2017.

Who’s behind these attacks?

The overlap with the phishing campaign, previously reported by Citizen Lab, allowed Recorded Future researchers to attribute the old campaign as well as the RedAlpha campaign to the same threat actor. Researchers believe that the campaigns are the work of a Chinese APT. Researchers said they found links to the NetTraveler, Icefog, and DeputyDog APT groups.

Modus Operandi

“The 2017 hktechy campaign, named after one of its command-and-control (C2) servers, commenced in June 2017,” Recorded Future researchers wrote in a blog. “Our observations of the 2017 hktechy campaign demonstrate the attacker’s proficiency in using custom malware with redundant communications from the start, suggesting an increased level of sophistication for the attacker.”

The 2018 internetdocss campaign began in January and continued until April. This new campaign moved away from the 2017 campaign’s custom dropper and replaced it with a validator implant that monitored the victims’ environment. The next stage of the campaign deployed the njRAT on specific victim machines.

The attackers’ move from using customised tools to commodity malware hints at a broader shift in the tactics, techniques and procedures (TTPs) that has been observed in the APT community.

“Facing greater scrutiny, both criminal and nation-state sponsored groups have grown increasingly reliant on commodity malware and penetration testing tools,” Recorded Future researchers noted. “This shift represents a dual value add for the attackers: first, by allowing their operations to blend into the greater use of common tools, and secondly, by lowering their cost of retooling upon discovery.”

Beyond the Tibetan community

Tibetans were not the only target of the RedAlpha campaigns.

The attackers also targeted the website of the Office of His Holiness the Dalai Lama, the Sri Lankan defense ministry website and a Chinese car auction site. The campaigns also spoofed prominent Indian news media outlet NDTV, likely to elevate the targeting of exiled Tibetans in India.

“Based on the nature of these domain registrations, it is probable that the campaign was intended to be wider, encompassing additional traditional, ideological, and regional geopolitical targets for China,” Recorded Future researchers added.

Chinese hackers likely behind attacks

Recorded Future’s researchers said that they discovered an opsec failure in the RedAlpha campaign, which involved the attackers registering a domain using an abbreviation of the “People’s Liberation Army” PLA.

“We do not currently possess enough evidence to categorically prove that the RedAlpha campaigns were conducted by a new threat actor,” Recorded Future researchers said.

However, they added that the PLA connection, as well as the “infrastructure overlap with Chinese APT groups Icefog, NetTraveler, DeputyDog, and those behind the MILE TEA campaign, in addition to the links to the Nanjing Qinglan Information Technology company, point to a Chinese origin for the threat actors behind the RedAlpha activity”.