Taipei, Taiwan – A hacking group suspected of acting on behalf of the Chinese government has carried out a multi-year espionage campaign against numerous governments, NGOs, think-tanks and news agencies, according to a new report.
The group, known as RedAlpha, has specialised in stealing login details from individuals in organisations considered to be of strategic interest to Beijing, according to the report released by cybersecurity firm Recorded Future.
Those targeted for “credential-phishing” since 2019 include the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan, Taiwan’s ruling Democratic Progressive Party (DPP), and India’s National Informatics Centre, according to Recorded Future.
RedAlpha targeted the organisations with emails containing PDFs that, once clicked, would lead to a fake portal page used to collect their login credentials, the Massachusetts-based cybersecurity firm said.
Recorded Future said RedAlpha likely targeted Taiwan-based organisations and human rights groups to gather intelligence on the self-governing democracy and ethnic and religious minority groups, respectively.
Hanna Linderstål, a cybersecurity researcher and founder of Earhart Business Protection Agency, said the group’s modus operandi is common among hackers.
“These actors use several angles of attack, but the easiest way to get information is often via the employee at the keyboard,” Linderstål told Al Jazeera. “IT departments are usually well prepared for cyberattacks… and the targeting actor knows this, so the weak link is the user and the organisation’s routines.”
“The most effective hackers today still take advantage of human weakness,” she added. “In 1998, I talked about the importance of strong passwords and security routines and in 2022, I still say the same thing.”
Recorded Future researchers said many organisations, particularly government institutions, have been slow to adopt multi-factor authentication, which requires more than just a stolen password to access a site.
Nabila Khan, a spokesperson for Amnesty International, said the organisation was familiar with being the target of cyberattacks.
“Amnesty often attracts attention from those with malicious intent seeking to disrupt our activity,” Khan told Al Jazeera. “We have security systems in place to mitigate and manage these threats the best we can.”
IFHR and MERICS declined to comment when contacted by Al Jazeera. Other targeted organisations did not respond to requests for comment.
RedAlpha was first identified by Canada’s CitizenLab in 2018 and is believed to have started operating around 2015.
The group is believed to have weaponised some 350 domains last year alone, according to Recorded Future, which said its latest activity bore the hallmarks of previous campaigns.
Recorded Future said it had a “high” degree of confidence the group is operating as a proxy for the Chinese state due to links with state-owned enterprises and military tech research institutions, and its choice of targets that are of clear strategic interest to Beijing.
Intelligence experts say outsourcing espionage work to private contractors is a common tactic of Chinese intelligence agencies.
“The usage of non-state actors for cyberespionage is a common strategy for several states in the world today,” Linderstål said.
“Actors gather information for espionage and attacks, but they are hard to identify. Even if there is a state connection, it’s hard to prove. Nobody will take responsibility for the proxy… the state can always say they have no knowledge about the organisation or its actions.”
China’s Ministry of Foreign Affairs did not respond to Al Jazeera’s request for comment, but a government spokesman told the MIT Technology Review that the country opposes all cyberattacks and would “never encourage, support, or connive” to carry out such activity.