ETDA ThaiCERT
Report
Search
Home > List all groups > RedAlpha

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: RedAlpha

NamesRedAlpha (Recorded Future)
CountryChina China
SponsorState-sponsored, possibly PLA and/or Nanjing Qinglan Information Technology Co. Ltd
MotivationInformation theft and espionage
First seen2015
DescriptionThe original research from Citizen Lab did not give this group a name.

(Recorded Future) Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.

Insikt Group’s analysis of infrastructure overlap among the new campaigns reveals wider targeting of the Chinese “Five Poisons,” in addition to South and Southeast Asian governments. Based on the campaign’s targeting of “Five Poisons”-related organizations, overlapping infrastructure, and links to malware used by other Chinese APTs uncovered during our research, we assess with medium confidence that the RedAlpha campaigns were conducted by a Chinese APT.

Infrastructure overlaps have been found with APT 17, Deputy Dog, Elderwood, Sneaky Panda, Icefog, Dagger Panda and NetTraveler, APT 21, Hammer Panda.
ObservedSectors: Government and the Tibetan and Uyghur communities and Falun Gong supporters.
Countries: Hong Kong, India, Myanmar, Pakistan, Sri Lanka, Thailand and South and Southeast Asia.
Tools usedFormerFirstRAT, Gh0st RAT, NetHelp Infostealer, njRAT, RedAlpha and a vulnerability in MS Office.
Operations performed2017RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
<https://www.recordedfuture.com/redalpha-cyber-campaigns/>
<https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf>
Information<https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/>

Last change to this card: 15 April 2020

Download this actor card in PDF or JSON format

Previous: Reaper, APT 37, Ricochet Chollima, ScarCruft
Next: RedCurl

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key