Hackers associated with China’s Ministry of State Security (MSS) have been linked to attacks in 17 different countries in Asia, Europe, and North America from 2021 to 2023.
Cybersecurity firm Recorded Future attributed the intrusion set to a nation-state group it tracks under the name RedHotel (previously Threat Activity Group-22 or TAG-222), which overlaps with a cluster of activity broadly monitored as Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, and Red Scylla (or Red Dev 10).
Active since 2019, some of the prominent sectors targeted by the prolific actor encompass academia, aerospace, government, media, telecommunications, and research. A majority of the victims during the period were government organizations.
“RedHotel has a dual mission of intelligence gathering and economic espionage,” the cybersecurity company said, calling out its persistence, operational intensity, and global reach. “It targets both government entities for traditional intelligence and organizations involved in COVID-19 research and technology R&D.”
Trend Micro, in early January 2022, described the adversary as a “highly-skilled and dangerous threat actor mainly motivated by cyberespionage and financial gain.”
The group has since been linked to exploitation of Log4Shell flaws as well as attacks aimed at telecommunications, academia, research and development, and government organizations in Nepal, the Philippines, Taiwan, and Hong Kong to deploy backdoors for long-term access.
Attack chains mounted by RedHotel have weaponized public-facing applications for initial access, followed by employing a combination of offensive security tools like Cobalt Strike and Brute Ratel C4 (BRc4) and bespoke malware families such as FunnySwitch, ShadowPad, Spyder, and Winnti.
A noteworthy aspect of the actor’s modus operandi is the use of a multi-tiered infrastructure, each focusing on initial reconnaissance and long-term network access via command-and-control servers. It predominantly utilizes NameCheap for domain registration.
In one late 2022 campaign, RedHotel is said to have leveraged a stolen code signing certificate belonging to a Taiwanese gaming company to sign a DLL file responsible for loading BRc4. The post-exploitation toolkit, for its part, is configured to communicate with abused compromised Vietnamese government infrastructure.
“RedHotel has exemplified a relentless scope and scale of wider PRC state-sponsored cyber-espionage activity by maintaining a high operational tempo and targeting public and private sector organizations globally,” Recorded Future said.
The development comes as the Washington Post reported that Chinese hackers had “deep, persistent access” to classified defense networks in Japan, prompting the U.S. National Security Agency (NSA), which discovered the breach in late 2020, to personally report the matter to government officials.