An advanced persistent threat (APT) is pulling ahead in a crowded field of China state-sponsored actors as a dominant cyber espionage threat. The RedHotel group has so far gone after governments across 17 countries on three continents, conducting both intelligence-gathering and economic espionage using a significant infrastructure and toolset to back it all up.
RedHotel (akaTAG-22 or Earth Lusca) has been operating since 2019, but has really ramped up its activity in the last two years, standing out “due to its persistence, operational intensity, and global reach,” researchers from Recorded Future’s Insikt Group revealed in a report published this week.
The group has already conducted attacks in 17 countries across Asia, Europe, and North America. Its formidable back-end support structure is comprised of two distinct infrastructure clusters — one largely dedicated to reconnaissance and initial access operations, and a second to maintaining long-term access with targeted networks.
While the group is particularly focused on Southeast Asia, it counts as its victims a US state legislature — which it compromised in 2022 — as well as numerous other targets in the academia, aerospace, government, media, telecommunications, and research sectors. It also has targeted COVID-19 research, Hong Kong pro-democracy activists, religious minority groups, and online gambling companies.
RedHotel’s identification as a distinct entity has gone largely unnoticed due to its use of previously identified ShadowPad and Winnti backdoor malware families. Since multiple Chinese threat groups — including Blackfly — use these tools, RedHotel has blended in, “creating challenges in clustering and attribution,” the researchers noted.
However, due to RedHotel’s high operational tempo, distinct infrastructure tactics, techniques, and procedures (TTPs), and wider use of both custom and offensive security tooling, the group has now developed a distinct identity as a dominant China-backed threat in its own right, operating out of Chengdu to support China’s Ministry of State Security, according to Insikt.
A Chinese APT’s Diverse Attack Strategy
RedHotel is characterized by a couple of key aspects — an expansive two-tiered support infrastructure, and the myriad and diverse ways it attacks victims using both commodity and custom malware.
Insikt documented several observed attacks in its report; in one attack late last year, RedHotel targeted the Vietnamese Institute on State using a stolen code-signing certificate belonging to a Taiwanese gaming company. The cert was used to sign a dynamic-link library DLL that loaded the offensive security tool known as Brute Ratel C4.
In the same campaign, the group used a stolen TLS certificate originally belonging to another Vietnamese government department, the Ministry of Education and Training — one that actors continued to use as late as June 2023.
In other threat activity observed in July 2022, RedHotel was linked to exploitation of the Zimbra collaboration suite at government organizations in multiple countries through communication with ShadowPad and Cobalt Strike C2 IP addresses controlled by the group.
In addition to the Winnti and ShadowPad backdoors, RedHotel also uses FunnySwitch and Spyder backdoors in its campaigns, as well as a customized Cobalt Strike command-and-control (C2) profile that masquerades as the Microsoft Windows Compatibility Troubleshooter service.
On the infrastructure side, RedHotel provisions large quantities of virtual private servers that act as reverse proxies for C2 traffic associated with multiple malware families that the threat group uses. These servers are typically configured to listen on standard HTTP(S) ports and to redirect traffic to upstream actor-controlled servers, which are administered using the open-source VPN software SoftEther.
This infrastructure handles long-term intrusion activity, while “a separate, noisier infrastructure cluster” is used for initial access operations and reconnaissance, according to Insikt.
Defending Against RedHotel Attacks
The report offered a number of strategies for enterprises to defend themselves against RedHotel attacks, as well as a comprehensive list of indicators of compromise (IoCs) that they recommended organizations use to analyze their networks and traffic.
Other recommendations from Insikt include the configuration of intrusion detection systems, intrusion prevention systems, or any network defense mechanisms to provide alerts for the external IP addresses and domains identified in the report as likely controlled by RedHotel, followed by a review and any necessary blocking if applicable.
Organizations should also take a risk-based approach for vulnerability patching, prioritizing high-risk vulnerabilities and those being exploited in the wild. Moreover, they should ensure security monitoring and detection capabilities are in place for all external-facing services and devices, with follow-up monitoring if webshells, backdoors, reverse shells, or lateral movement are detected.
Insikt also advised an overall practice of network segmentation with extra controls set to handle sensitive information, including restricting access and storage to systems only accessible via an internal network.