China-backed hackers targetted MeitY's NIC, other entities
The National Informatics Centre (NIC), which manages IT infrastructure and services for the central government, was targetted by China-sponsored hackers' group RedAlpha, shows a latest cybersecurity report. NIC, which operates under the Ministry of Electronics and Information Technology (MeitY), is the tech partner of the central government.
The China-backed hackers’ group has consistently spoofed login pages of the NIC, says the report. Apart from India, Red Dev 3, aka DeepCliff, RedAlpha conducted a multi-year credential theft campaign, targetting global humanitarian, think tanks, and government organisations, says the report by cybersecurity company Recorded Future.
Active since at least 2015, the group was first exposed in an open source in 2018 by CitizenLab as targeting a specific community.
Major entities and organisations recently targetted by the group include Radio Free Asia, Mercator Institute for China Studies, Amnesty International, International Federation for Human Rights, American Chamber of Commerce (including AmCham Taiwan), Purdue University, Taiwan’s Democratic Progressive Party, American Institute in Taiwan, and ministries of foreign affairs in multiple countries globally.
As also noted in PwC’s 2021 year-in-review report, RedAlpha’s activities have expanded over the past several years to include credential-phishing campaigns spoofing ministries of foreign affairs in multiple countries. “Throughout 2021, RedAlpha set up hundreds of domains hosting credential phishing pages aimed at diverse pools of targets on an international scale,” says the PwC report. It adds that apart from organisations, the threat actor also targetted individual citizens and vulnerable communities, in relation to sensitive political and social topics.
RedAlpha also targetted or spoofed services, including news outlets popular among diaspora communities and dissidents; NGOs with a focus on refugees as well as civil and human rights, such as Amnesty International; and think tanks and policy institutes.
According to Recorded Future, it is very likely that RedAlpha operators are located within the People's Republic of China. The targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organisations, and Taiwanese government and political entities. “This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity.”
Notably, Chinese intelligence services’ use of private contractors is also an established trend, with groups such as APT3, APT10, RedBravo (APT31), and APT40 all identified as contractors working for China’s Ministry of State Security.
How do the China-backed hackers operate?
RedAlpha has consistently registered and weaponised large amounts of domains for use in credential-theft campaigns. These domains typically imitate well-known email service providers and spoof specific organisations that are either directly targeted in RedAlpha activity or that can be used to impersonate those organisations in activity targeting proximate organisations and individuals. In 2021, there was a significant uptick in the volume of domains registered by the group, totalling over 350, says the Recorded Future report.
In many cases, phishing pages mirrored legitimate email login portals for specific organisations. This means, says the Recorded Future report, they were intended to target individuals directly affiliated with these organisations rather than simply imitating these organisations to target other third parties. In other cases, the phishing pages used generic login pages for popular mail providers and the intended targeting was ambiguous. The group has used basic PDF files containing links to the identified phishing sites, typically stating that a user needs to click the link to preview or download files.