"Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers"

RedAlpha, a Chinese state-sponsored threat activity group, has been linked to a multi-year credential theft campaign targeting global humanitarian, think tank, and government organizations. RedAlpha most likely attempted to gain access to email accounts and other online communications of targeted individuals and organizations during this activity, according to a new report from Recorded Future. RedAlpha, a lesser-known threat actor, was first identified by Citizen Lab in January 2018 and has a history of conducting cyber espionage and surveillance operations against the Tibetan community, including some in India, to facilitate intelligence collection via the NjRAT backdoor. Since then, the group has used 350 domains to spoof legitimate entities such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), and the American Institute in Taiwan (AIT), among others. The adversary's consistent targeting of think tanks and humanitarian organizations over the last three years is consistent with the Chinese government's strategic interests. Impersonated domains, which also include legitimate email and storage service providers such as Yahoo, Google, and Microsoft, are then used to target nearby organizations and individuals to facilitate credential theft. The attack chain begins with phishing emails that contain PDF files with malicious links redirecting users to rogue landing pages mimicking the email login portals for the targeted organizations. This article continues to discuss researchers' findings and observations regarding RedAlpha.

THN reports "Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers"