RedHotel: An Advanced Persistent Threat from China
The RedHotel group, also known as TAG-22 or Earth Lusca, has emerged as a dominant cyber espionage threat among China state-sponsored actors. According to a report published by Recorded Future’s Insikt Group, RedHotel has targeted governments in 17 countries across Asia, Europe, and North America since 2019, with a particular focus on Southeast Asia. The group combines intelligence-gathering and economic espionage, using a significant infrastructure and toolset to carry out its operations.
Distinct Identity and Tactics
RedHotel has succeeded in maintaining a distinct identity despite its use of previously identified malware families like ShadowPad and Winnti. These tools are also used by other Chinese threat groups, making it difficult for researchers to attribute attacks to RedHotel specifically. However, the group’s high operational tempo, unique infrastructure tactics, techniques, and procedures (TTPs), and wider use of custom and offensive security tools have led to its recognition as a dominant China-backed threat.
Operating out of Chengdu to support China‘s Ministry of State Security, RedHotel has targeted a wide range of sectors including academia, aerospace, government, media, telecommunications, and research. Its victims have also included a US state legislature, COVID-19 researchers, Hong Kong pro-democracy activists, religious minority groups, and online gambling companies.
Diverse Attack Strategy
RedHotel‘s attack strategy is characterized by two key aspects: an expansive two-tiered support infrastructure and the use of various commodity and custom malware. The group has been observed using stolen code-signing certificates and TLS certificates to sign malicious DLLs and establish persistence within targeted networks.
In terms of malware, RedHotel utilizes the Winnti, ShadowPad, FunnySwitch, and Spyder backdoors. It also employs a customized Cobalt Strike command-and-control (C2) profile disguised as the Microsoft Windows Compatibility Troubleshooter service. The group provisions virtual private servers as reverse proxies for its C2 traffic and relies on open-source VPN software SoftEther to administer its infrastructure.
Defending Against RedHotel Attacks
The report by Insikt Group provides recommendations for organizations to defend themselves against RedHotel attacks. These include:
- Configure intrusion detection systems, intrusion prevention systems, and network defense mechanisms to provide alerts for external IP addresses and domains associated with RedHotel.
- Prioritize patching of high-risk vulnerabilities, particularly those being actively exploited.
- Implement security monitoring and detection capabilities for all external-facing services and devices, with a focus on detecting malicious activities such as webshells, backdoors, reverse shells, or lateral movement.
- Practice network segmentation, with additional controls in place to protect sensitive information and restrict access.
By following these recommendations and regularly assessing their networks for indicators of compromise (IoCs) provided in the report, organizations can enhance their defense against RedHotel attacks.
Philosophical Discussion: The Ethics of State-Sponsored Hacking
The rise of RedHotel and the prominence of state-sponsored hacking raise important ethical questions regarding the role and responsibilities of nation-states in cyberspace. State-sponsored hacking poses significant risks not only to the targeted countries but also to the stability and trust in the global digital infrastructure.
While espionage is not a new phenomenon, the advent of cyberspace has greatly amplified its scale and impact. The ability of state-backed actors to conduct cyber operations anonymously and with relative impunity raises concerns about accountability and the potential for escalations and unintended consequences in the realm of cyberwarfare.
Furthermore, the targeting of sensitive sectors such as academia, healthcare, and pro-democracy activists demonstrates the potential for state-sponsored hacking to interfere with and undermine democratic processes, intellectual property protection, and human rights.
Editorial: Strengthening Cybersecurity and International Cooperation
The dominance of RedHotel as an advanced persistent threat highlights the urgency for organizations and governments to bolster their cybersecurity measures. It is essential for nations to invest in robust cybersecurity infrastructure, develop strong legislation, and promote cyber hygiene awareness to mitigate the risks posed by state-sponsored hackers like RedHotel.
International cooperation is crucial in addressing the global challenge of state-sponsored hacking. Governments need to work together to establish and respect norms of behavior in cyberspace, facilitate information sharing, and enhance cyber defense capabilities. An inclusive and cooperative approach that engages governments, the private sector, and civil society is necessary to effectively counter these threats.
Ultimately, safeguarding cyberspace requires a multi-faceted approach that combines technological solutions, legal frameworks, and norm-building efforts. It is imperative that nations recognize the risks posed by state-sponsored hacking and take proactive measures to protect their citizens, critical infrastructure, and the integrity of the digital ecosystem.
<< photo by Pixabay >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Russian Hackers’ New Tactics: Shifting from Disruption to Subversion
- Can zkPass Revolutionize User Privacy and Data Protection with $2.5M in Seed Funding?
- The Rise of Custom Yashma Ransomware: A New Threat to Cybersecurity
- The Undeniable Threat: Chinese Cyberspies Set their Sights on Industrial Organizations in Eastern Europe
- The Disturbing Alliance: Unveiling the Vice Society’s Partnership with Rhysida Ransomware
- Replying to the question: “Planting ideas in a computer’s head: Researchers find new attack on AMD computer chips”
Title: Unleashing the Mindscape: Unveiling a Novel Attack on AMD Computer Chips
- Why Policy-Making Should Take the Driver’s Seat in the AI Journey
- The Rising Concerns: AI Risk Database Takes on the Challenges of AI Supply Chain Risks
- The Critical Importance of Microsoft Patch Tuesday: Combating 74 CVEs with 2 “Exploit Detected” Advisories
- The Rise and Fall of Windows Defender: Unmasking a Flagship Microsoft EDR
- Identity Crisis: The Alarming Surge of Identity-Based Attacks
- The Ominous Rise of Ransomware Attacks: Zero-Day Exploits Take Center Stage
- Why Apple Users Can No Longer Ignore the Mac Attack
- “Microsoft Takes Action: Office Zero-Days Get Patched on Patch Tuesday”
- North Korean Cyber Intrusions Expand Beyond US and South Korea
- Unraveling Iran’s Cyber Warfare: APT34’s Sophisticated Supply Chain Attack on the UAE