Chinese RedHotel Spy Group Linked to Hacks in 17 CountriesMotives, Operations Closely Linked to China's Ministry of State Security
A Chinese state-sponsored spy group called RedHotel has emerged as a dominant espionage agent against government entities of at least 17 countries worldwide.
The Chengdu, China-based group's motives and operations closely link it to China's Ministry of State Security, a report from Recorded Future's Insikt Group said.
The group's earliest activity can be traced back to 2019, and a spike in activity has been observed in the past three years. The group has focused on targeting academia, aerospace, government, media, telecommunications, and research and development sectors within Asia, Europe and North America.
In July 2022, RedHotel likely compromised a U.S. state legislature, showcasing its widened scope. The group in 2022 also exploited vulnerabilities in Zimbra collaboration software used by government organizations in various countries. To carry out these attacks, the group used communication channels connected to its control servers, specifically using ShadowPad and Cobalt Strike tools.
A top U.S. national intelligence office considers China to be "the broadest, most active and persistent cyber espionage threat to U.S. government and private sector networks" (see: US Intelligence Ranks China as Top National Security Threat).
China-linked actors most recently attacked U.S. government networks in May. Cybersecurity experts said a Chinese espionage group that Microsoft named Storm-0558 forged tokens to gain access to Exchange and Outlook email accounts hosted online by Microsoft for 25 different organizations worldwide. Victims of the attack campaign became public later and included Western European governments as well as the U.S. Commerce and State departments, including the U.S. ambassador to China.
RedHotel operates with a robust support system on its back end, consisting of two separate sets of infrastructure. One cluster primarily focuses on gathering information and gaining initial entry into targeted systems, while the second cluster is dedicated to ensuring prolonged access.
The group uses a mix of offensive security tools such as Cobalt Strike and Brute Ratel. It also uses espionage-oriented tools such as backdoors and info stealers - including ShadowPad, Winnti, Spyder and FunnySwitch - across different campaigns. To deliver these malicious payloads, RedHotel takes advantage of several system vulnerabilities, such as ProxyShell, Log4Shell and some previously disclosed Zimbra collaboration suite vulnerabilities.
Researchers credit RedHotel's success to its extensive use of several virtual private servers that act as reverse proxies for the C2 communication linked to multiple malware families employed by the group. These servers are typically set up to listen on standard HTTP(S) ports and reroute the traffic to servers controlled by the threat actors. The management of these servers is facilitated through the open-source VPN software known as SoftEther.
Affinity for ASEAN Countries
The group displays a particular regional focus in Southeast Asia based on the volume of victims observed by the Insikt Group. Targets include Bangladesh, Cambodia, Bhutan, Hong Kong, India, Laos, Malaysia, Nepal, Palestine, Pakistan, the Philippines, Thailand, Taiwan and Vietnam.
RedHotel targeted Vietnamese government infrastructure in July 2022 using a stolen code-signing certificate that belonged to a Taiwanese gaming company. The certificate was used to sign a DLL that loaded the offensive security tool Brute Ratel C4.
The group also used a stolen TLS certificate in the same campaign that originally belonged to another Vietnamese government department - the Ministry of Education and Training. Threat actors used the certificate through June 2023.
Trend Micro, which tracks the espionage group as Earth Lusca said that Chinese spies also targeted COVID-19 research, Hong Kong pro-democracy activists, religious minority groups and online gambling companies.