At a glance.
- An update on RedAlpha.
- Evil PLC proof-of-concept shows how programmable logic controllers could be "weaponized."
- Cl0p gang hits English water utility.
- Microsoft identifies and disrupts Russian cyberespionage activity.
An update on RedAlpha.
Recorded Future this morning outlined recent activity by the Chinese government threat actor RedAlpha, an operation the company's researchers have been tracking since June of 2018. RedAlpha has recently been observed conducting large-scale credential theft. Its targets continue to be "humanitarian, think tank, and government organizations globally."
"Over the past 3 years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations that fall within the strategic interests of the Chinese government," Recorded Future writes. RedAlpha, which researchers believe is run for Chinese intelligence and security services by contractor personnel, has shown an interest in domestic ethnic and religious minorities, especially Tibetan and Uyghur populations. Internationally, the group has been particularly but not exclusively interested in Taiwan. "Historically, the group has also engaged in direct targeting of ethnic and religious minorities, including individuals and organizations within Tibetan and Uyghur communities. As highlighted within this report, in recent years RedAlpha has also displayed a particular interest in spoofing political, government, and think tank organizations in Taiwan, likely in an effort to gather political intelligence."
RedAlpha's techniques involve a great deal of credential harvesting. "Our research uncovered the suspected China statesponsored group RedAlpha conducting credential-harvesting activity targeting individuals and organizations globally, with a particular focus on civil society and government sectors, Recorded Future says. "The group has used a consistent set of TTPs to register and manage large clusters of operational phishing infrastructure, using a mixture of pages impersonating popular email provider logins and custom webmail login pages to mimic specific providers and organizations." It's objectives are consonant with those common in Chinese intelligence and security operations. "Since 2015, the group has engaged in consistent targeting of individual citizens and groups associated with minority communities, many of which are subject to reported human rights abuses within China. More generally, Chinese statesponsored groups continue to aggressively target dissident and minority groups and individuals, both domestically through state surveillance and internationally through cyber-enabled intrusion activity. This targeting of sensitive and vulnerable communities, many of which have security budget and resources constraints, is particularly concerning."