China-Backed RedAlpha APT Targets Human Rights Groups

Domain spoofing

• In 2021, it registered 350 domains representing a big spike in its activity.
• The hackers in this campaign targeted the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), and the American Institute in Taiwan (AIT), among others.
• They spoofed domains off well-known email service providers Yahoo (135 typosquat domains), Google (91 typosquat domains), and Microsoft (70 typosquat domains).

Targeting of victims

• Potential victims were directed to dummy email login portals of specific organizations to steal credentials, usernames and passwords.
• The attackers appear to have targeted individuals directly affiliated with Human rights groups rather than third parties by using legitimate email login portals for specific organizations.
• For targets other than the humanitarian and government organizations, the phishing pages used generic login pages for popular mail providers.

Other observations

• Researchers have observed that RedAlpha has repeatedly registered domains spoofing webmail login portals for Taiwanese government and Brazilian and Vietnamese ministries of foreign affairs.
• Reports indicate that the group’s targets have expanded in recent years to spoof foreign ministry credentials.

Conclusion