RedAlpha
Description
The original research from Citizen Lab did not give this group a name.
(Recorded Future) Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.
Insikt Group’s analysis of infrastructure overlap among the new campaigns reveals wider targeting of the Chinese “Five Poisons,” in addition to South and Southeast Asian governments. Based on the campaign’s targeting of “Five Poisons”-related organizations, overlapping infrastructure, and links to malware used by other Chinese APTs uncovered during our research, we assess with medium confidence that the RedAlpha campaigns were conducted by a Chinese APT.
Infrastructure overlaps have been found with APT 17, Deputy Dog, Elderwood, Sneaky Panda, Icefog, Dagger Panda and NetTraveler, APT 21, Hammer Panda.
Names
| Name | Name-Giver |
|---|---|
| RedAlpha | Recorded Future |
| DeepCliff | ? |
| Red Dev 3 | PWC |
Country
Sponsor
State-sponsored, possibly PLA and/or Nanjing Qinglan Information Technology Co. Ltd
Motivation
- Information theft and espionage
First Seen
2015
Observed Sectors
Observed Countries
Tools
Operations
- 2017: RedAlpha: New Campaigns Discovered Targeting the Tibetan Community https://www.recordedfuture.com/redalpha-cyber-campaigns/ https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf
- 2021: RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf
Information
Other Information
Uuid
e049d10f-81fd-4cc0-bb61-46f75594a1b9
Last Card Change
2024-03-10