top of page


Keanna Grelicha, Julian Strong, Counterintelligence and Cyber (CICYBER)

Shachi Gokhale, Valentina Topatigh, Editor; Hannah Norton, Senior Editor

August , 2022

Hacker Cyber Crime[1]

Geographical Area | Global

Countries/Enterprises Affected | Taiwan; Portugal; Brazil; Vietnam; India; International Federation for Human Rights (FIDH); Amnesty International; the Mercator Institute for China Studies (MERICS); Radio Free Asia (RFA); the American Institute in Taiwan (AIT)

RedAlpha, a Chinese state-sponsored cyber group, was identified as the hacker behind a multi-year credential theft campaign that has targeted governmental organizations, think tanks, and global humanitarian organizations since January 2018.[2] RedAlpha’s attack chain consists of phishing emails, malware, and remote access trojans (RAT) known as NjRAT to access email account credentials and networks of individuals and their organizations.[3] NjRAT backdoor is the trojan used to log keystrokes, steal credentials, and get remote control access to the victim’s computer and server.[4] This RAT technique allows RedAlpha to access the victim’s desktop and remain within the server to collect intelligence on the individuals affiliated with these organizations.[5] This credential theft campaign will very likely affect more countries if RedAlpha can gather intelligence within the servers of their targets to use for political means associated with China or for financial profit if the data is used for ransom. The ability for RedAlpha to go unidentified for multiple years will very likely lead to future attacks as the group will very likely advance its methodologies to target industries with limited financial or technical capabilities to secure their networks.

Security Risk Level:

Areas of High Security Concern: Using the NjRAT will very likely allow RedAlpha to set up access points within the server of the compromised individuals’ email accounts to enable remote entry, very likely facilitate future espionage attacks. Network access will very likely allow the hacker group to collect Personal Identifiable Information (PII) stored within the server and impersonate the individuals to gain further access to organizational data. If the hacker group accesses unclassified data from the targeted governmental and humanitarian organizations, other countries with shared data and intelligence will very likely become vulnerable to political, economic, or social attacks. These attacks could very likely include ransomware attacks on economic institutions or political agencies by very likely using the previously accessed data to gain entry into shared networks of other organizations to gather more intelligence to hold for ransom or sell to the target’s adversaries. The hacker group will very likely demand a ransom for the confidential data, very likely forcing the organizations to pay to avoid the threat of adversaries obtaining the data. Without effective security measures protecting the sensitive data within these industries’ networks, they will very likely face financial losses to mitigate data theft and deter future attacks.

Current Claims: Taiwan; Portugal; Brazil; Vietnam; India

Current Attack: RedAlpha first sends a phishing email with malware-embedded documents and links that take the individual to rogue domains that impersonate Yahoo, Google, and Microsoft.[6] RedAlpha has compromised over 350 domains of organizations like FIDH, MERICS, RFA, and AIT by stealing the credentials of individuals associated with the organizations.[7] The targets of this credential theft campaign are groups of interest to China, very likely indicating that RedAlpha follows Chinese political strategies, which will very likely pose high-security concerns for the US and allies of Taiwan and other targeted entities.[8]

Groups Involved in Attack: RedAlpha; International Federation for Human Rights (FIDH); Amnesty International; the Mercator Institute for China Studies (MERICS); Radio Free Asia (RFA); the American Institute in Taiwan (AIT); Zimbra

Major Capital Industries: global government; think tanks; humanitarian organizations; educational industry; cloud software industry

Potential Industry Concerns: The multi-year attacks will very likely continue against these industries as the perpetrators find success in using phishing and malware attacks to breach networks and compromise data to sell or hold for ransom. The hackers will very likely adapt their methodologies with the NjRAT to counter anti-phishing defenses and protocols the industries implement against the current campaign. Global governments will very likely need to collaborate with information technology (IT) agencies to secure systems and set up protocols to defend against future attacks. The classified databases within government agencies, think tanks, educational organizations, and humanitarian organizations will very likely continue to face threats if there is a lack of security and software protocols like firewalls and activity scans. These industries will very likely allocate finances for IT services to secure networks and provide regular updates to decrease the risk of future breaches. Vendors and suppliers within the cloud software industry like Yahoo, Google, and Microsoft are likely unaware of the full exploit within these attacks if users cannot report legitimate communication and authentication requests through emails. This will likely lead organizations within this industry to update software packages to implement more levels of security within login stages and when working on data within the networks.

Areas of Caution:

  • Political: RedAlpha has historically targeted ethnic and religious minorities within the Tibetan and Uyghur communities, and political and private sector organizations in Taiwan, which are groups that make up the strategic interest of the Chinese government.[9] The Chinese Communist Party's (CCP) strategic interests include what they call the “five poisons” which are the Tibetans, Uyghurs, democracy activists, Taiwanese, and the Falun Gong, which RedAlpha has targeted.[10] In recent weeks, tensions around Taiwan have increased after a visit by Nancy Pelosi, Speaker of the US House of Representatives, to Taiwan.[11] The hacker group’s similarity in political targets indicates that the CCP is using private actors to facilitate intelligence gathering or threaten the security of its adversaries by targeting organizations that create political noise. Chinese-associated hacker groups targeting humanitarian organizations and ethnic minorities are expected to gather the attention of the international community to respond to any cyber threats against Taiwan governmental or humanitarian private groups. RedAlpha’s cyber campaign against these organizations is expected to negatively impact current tensions between the US and China surrounding Taiwan, leading to a political response like sanctions on the hacker group by the US.

  • Social: RedAlpha was first identified as operating credential theft and phishing campaigns against the Tibetan community, social movements, media groups, and Southeast Asian government organizations in 2018.[12] From 2021, Southeast Asia was hit with 11 million attempted phishing attacks due to the vulnerability of individuals’ email accounts that hold sensitive information like PII and their organization’s database.[13] The threat of phishing attacks in Southeast Asia and amongst the minority communities has current implications for organizations and governmental agencies that monitor these groups and hold critical information as they could expectedly become a target as well. RedAlpha successfully compromising individuals associated with those groups indicates that many individuals and organizations lack the security measures like Anti-Phishing scans and multi-factor authentication (MFA) tools to detect irregular activities within their accounts. Humanitarian organizations are expected to face financial implications to gather the funds that support targeted groups and protect them from further cyberattacks.

  • Cybersecurity: Private-sector actors become state-sponsored because it allows the State to decrease the number of resources it would need to devote to intelligence organizations to carry out operations to perform espionage on targets.[14] The CCP sponsoring RedAlpha to conduct the campaign on desired targets indicates that the CCP will establish their methodology of using private contractors like the APT3, APT10, RedBravo, and APT40 to conduct cyber operations.[15] State-sponsored cyber groups are known to conduct attacks to collect intelligence for their sponsoring State to conduct future attacks or request payment for the captured data.[16] Recorded Future, an intelligence company, reported that a leak of 3.2 billion passwords exposed 1.5 million US government email service records that resulted from a state-sponsored cyber group attack.[17] The success of these state-sponsored groups in compromising networks and databases of governmental and private sector companies is expected to incentivize other countries to conduct similar operations with rogue actors. The current threat of more state-sponsored groups indicates a change in the way negotiations and conflicts are conducted between adversaries, which will expectedly lead to an increase in attacks by private contractors.

Predictive Analysis:

  • Who: RedAlpha will very likely continue administering the theft campaign as they find success in breaching the currently targeted industries to obtain financial profits. They will very likely go beyond the current industries and target organizations with cloud services within their networks known for having vulnerabilities to expand their operations, very likely increasing financial profits. Cloud software companies and governments who use cloud services will very likely suffer from more phishing attacks leading to credential theft campaigns, very likely providing the hackers with more targets to expand their operations. The impact of increased attacks will very likely lead to financial loss for the targeted organizations as they will very likely need to pay a ransom to obtain stolen data or pay for security protocols from IT agencies.

  • What: Theft campaigns from these phishing attacks will very likely lead the attackers to exploit account access for financial gain by using PII to access to the organization’s financial systems and classified databases. The hackers will likely use the access and PII to bypass two-factor authentication (2FA) security parameters to divert funds from legitimate accounts and hold data for ransom. The use of the NjRAT will very likely allow the hackers to remain active within the account and allow for future access to breach other linked networks. The success of these attacks will very likely incentivize additional hackers to conduct these attacks against similar industries or expand the campaign.

  • Why: The use of phishing attacks and social engineering tactics are very likely time efficient to conduct as the hackers will very likely send a mass amount of scans repeatedly. The hackers will very likely continue to automate these attacks on more individuals as this will increase the rate at which individuals are likely to fall victim to the scam. The hackers will very likely find additional opportunities within these attacks to collect data on targeted organizations to hold for ransom and threaten the sale of the data to adversaries of the industries. They will also very likely propose higher ransoms on an organization’s data than from employee or client data as organizations are very likely more equipped to mitigate the data losses financially.

  • When: The phishing attacks and theft campaign will very likely continue as RedAlpha profit and succeed in the attacks against the organizations. The ability to bypass security parameters like 2FA and access networks using malware will very likely incentivize the group and other hackers to expand methodologies and continue the theft campaign progressively. Advancing tactics will very likely increase the rate these attacks are conducted, very likely increasing the threat of data loss and network attacks on organizations within the targeted industries.

  • How: The theft campaign will very likely include two exploits to obtain direct financial compensation via exploitation of breached funds from bank accounts within the networks or by obtaining sensitive information and holding it for ransom. The hackers will very likely change their pattern of attack by implementing more malicious links and documents to increase the success rate of an individual falling victim to the scam. The ability for the hackers to access and collect data will very likely allow the hacker to surf the networks of multiple accounts and reach systems of linked organizations. The backdoor entry points from the use of RATs will very likely allow the hackers to return in the future to collect more data before further attacking the company for a higher profit.

The Counterterrorism Group’s (CTG) Counterintelligence and Cyber Team (CICYBER) recommends that governments, cloud software companies, and humanitarian organizations should implement both multifactor authentication (MFA) and hardware key requirements such as fob-based auto-generated keys for the login phase of an account. This auto-generated key requirement will allow for more barriers for hackers to access the accounts, leading to multiple failed attempts that alert the system. Agencies, organizations, and companies (AOCs) should implement configuration intrusion detection systems (IDS) and intrusion prevention systems (IPS) which will allow for the network alerts to be sent to the appropriate IT department to check the system for irregular activity. CTG recommends that AOCs monitor domain abuse and enforce strong security awareness for employees and clients to result in fewer vulnerability points hackers can target. The monitoring of domain abuse will aid with IDS and IPS as the system will very likely detect unusual and anomalous account login patterns or malware trails within the accounts.

CTG works to detect, deter, and defeat terrorism and will continue to monitor the evolution of phishing and theft campaigns for future developments. CTG’s Worldwide Analysis of Threats, Crimes, and Hazards (WATCH) Officers will monitor ongoing phishing and malware attacks to help establish trends to aid in prevention methods against future incidents.


[2] Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers, The Hacker News, August 2022,

[3] Ibid

[5] Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers, The Hacker News, August 2022,

[6] Ibid

[7] Ibid

[8] Ibid

[9] RedAlpha carries out multi-year credential theft campaign targeting human rights groups, federal agencies, Industrial Cyber, August 2022,

[10] Hackers linked to China have been targeting human rights groups for years, MIT Technology Review, August 2022,

[11] Chinese hackers RedAlpha have been targeting politicians and human rights groups, TechMonitor, August 2022,

[12] RedAlpha carries out multi-year credential theft campaign targeting human rights groups, federal agencies, Industrial Cyber, August 2022,

[13] Over 11 million phishing emails blocked in Southeast Asia, TechWire Asia, June 2022,

[14] Hackers linked to China have been targeting human rights groups for years, MIT Technology Review, August 2022,

[15] RedAlpha carries out multi-year credential theft campaign targeting human rights groups, federal agencies, Industrial Cyber, August 2022,

[16] Chinese hackers RedAlpha have been targeting politicians and human rights groups, TechMonitor, August 2022,

[17] Ibid


bottom of page