With an alarming increase in cybersecurity threats, the world of international cybersecurity is yet again stirred with the revelation of an extensive, multi-year cyber-assault, likely instigated by the notorious state-backed hacker groups of China's Ministry of State Security (MSS). Between 2021 to 2023, these whirlwinds of cyber espionage made their malicious marks on 17 distinct countries spanning Asia, Europe, and North America.
Renowned global cybersecurity entity, Recorded Future, traced these menacing wave of cyber-attacks back to a group they monitor under the epithet "RedHotel"; a group previously labeled as Threat Activity Group-22 or TAG-222, and affiliated with a group of more broadly monitored entities which go by the names such as Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, and Red Scylla (or Red Dev 10).
The alarmingly diverse range of targets selected by RedHotel has spanned through multiple sectors including academia, aerospace, government, media, and telecommunications since they began their operations in 2019. However, a concerning majority of these breached entities were essential government organizations.
On further analysis, Recorded Future pointed out an unsettling pattern; RedHotel appears to harbor a dual mission of economic espionage as well as intelligence gathering. With tactical precision and unbelievably wide reach, they have targeted both traditional intelligence within government bodies, as well as organizations heavily involved in cutting-edge COVID-19 research and technology R&D.
At the dawn of 2022, another cybersecurity giant, Trend Micro, discerned the danger hidden within RedHotel, describing them as a highly skilled, perilous entity primarily driven by cyberespionage and financial exploitation. The group was subsequently tied to several instances of Log4Shell exploits and backdoor deployments targeting academia, telecommunications, R&D, and government bodies in countries like Nepal, Philippines, Taiwan, and Hong Kong.
Delving into the unsettling modus operandi of RedHotel, experts noted strategic targeting of public-facing applications combined with offensive security tools like Cobalt Strike and Brute Ratel C4 (BRc4) for initial access. A variety of custom-made malware types such as FunnySwitch, ShadowPad, Spyder, and Winnti further invades their target's defenses. Moreover, like the many heads of a mythical hydra, this threat actor operates through a multi-tier infrastructure aimed at initial reconnaissance and long-term network access.
A particularly insidious tactic reportedly involved RedHotel recruiting stolen code signing certificates from a Taiwanese gaming company to sign a DLL file responsible for loading BRc4, indicating a new level of cunning and audacity. Recorded Future's report reiterates that RedHotel's relentless operations echo the broader and disturbing theme of state-sponsored cyber-espionage originating from China.
All these revelations come in the wake of a shocking report by the Washington Post, which uncovered deep, persistent penetration by Chinese hackers into Japanese defense networks' classified data streams. The chilling discovery made by the U.S. National Security Agency (NSA) in late 2020 prompted them to confidentially report the matter to their respective government counterparts.
Amid this turbulent cybersecurity landscape, the need for independent, comprehensive and reliable cybersecurity has never been more relevant.
At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.