An organization called RedHotel (formerly known as Threat Activity entity-22 or TAG-22), a nation-state entity, is responsible for these attacks, according to cybersecurity firm Recorded Future. The activities of this organization are related to a variety of online activities that are tied to Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, and Red Scylla (also known as Red Dev 10).
This active player has concentrated its efforts on a number of industries since it began operating in 2019, including academics, aerospace, government, media, telecommunications, and research. Notably, during this time, governmental organizations have made up a sizable share of their targets.
The cybersecurity company emphasized that RedHotel conducts economic espionage in addition to doing information collection. This group’s operations have demonstrated a remarkable degree of perseverance, operational rigor, and global reach. For conventional intelligence objectives, it is known to target government organizations, as well as businesses engaged in COVID-19 research and the development of new technologies.
Trend Micro described this adversary as a “highly skilled and dangerous threat actor, principally motivated by cyberespionage and financial gain” in early January 2022.
Following these incidents, the RedHotel group has been linked to exploiting Log4 Shell flaws and planning attacks against telecommunications, educational institutions, research and development organizations, and government agencies in Nepal, the Philippines, Taiwan, and Hong Kong. The goal of these attacks is to install backdoors that would allow for continuous access for a long time.
The initial compromise of openly available applications is a common pattern in the attack campaigns managed by RedHotel. A combination of offensive security tools like Cobalt Strike and Brute Ratel C4 (BRc4), as well as specially created malware families including FunnySwitch, ShadowPad, Spyder, and Winnti, are then used after that.
The group’s operating strategy makes use of a multi-layered infrastructure, which is a distinguishing feature. Each layer has a specific strategic goal in mind, such as conducting initial reconnaissance or creating persistent network access through command-and-control servers. The fact that the group favors NameCheap for domain registration indicates some degree of continuity in its strategies.
This information corresponds to a Washington Post article that claimed that Chinese hackers had gained sustained access to Japan’s highly secure defense networks. In an unusual move, the U.S. National Security Agency (NSA), which discovered the vulnerability in late 2020, directly informed government leaders of the situation.
Read also:
- Cloudzy: Iranian Company Accused of Helping Cybercriminals and Nation-State Hackers
- Iranian Hackers Are Causing Disruptive Cyberattacks Against the Albanian Government
- North Korean Hackers Try a New Tactic – Use Malicious Browser Extensions to Spy on Email Accounts
- French Android and iPhone Users Are Being Targetted by Roaming Mantis Financial Hackers
- Some Tips to Secure Your Digital Wallet from Hackers!