Digital Threat Digest - 18 August 2022
PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.
Big phish, same pond
This newsletter traditionally focuses on disinformation, hate speech, electoral integrity, and conspiracy. But PGI is not only an intelligence company but a cybersecurity one too. Often, these two things overlap, and Advanced Persistent Threats (APTs) are one example of this. APTs are sophisticated techniques designed to use continuous, clandestine TTPs (tools, techniques, and procedures) to gain access to systems and then remain inside them for a long time. Mandiant’s 2014 report into APT1 is a fascinating long read into how China’s Cyber Espionage Unit, PLA 61398, systemically stole hundreds of terabytes of data between 2006 and 2013 using a broad range of malware. The report even manages to geolocate the unit, estimating that the Shanghai building could hold more than 2,000 operatives.
Since that report, APTs have become a corporate nightmare – especially for companies deemed to have data and intelligence deemed ‘of interest’ to the traditional threat actors (China, Iran, Russia, etc.). Despite us knowing where these threats come from, and who is behind them, the very nature of APTs makes it difficult to ever shut them down – APT1, for example, is still an active cyber threat. RedAlpha, also known as Deepcliff or Red Dev 3, is one APT that blurs the line between traditional cyber threats and the kinds of threats we monitor on the intelligence side of PGI. Chinese-state-backed threat actors are thought to be behind it, and new research has discovered that the APT is targeting humanitarian groups, think tanks, and government organisations worldwide that are working on behalf, or in support of, the Uyghurs, Tibet, and Taiwan. The group harvest data predominantly through extremely sophisticated phishing emails that link to spoof domains that mimic that company’s corporate login page. Of course, RedAlpha has pivoted heavily to targeting Taiwanese communities and businesses, pulling intelligence for the PLA and CCP likely to be abused in the event of an invasion.
Now, traditionally, phishing emails and spoof domains are associated with fraud and money-making. But, when they are state backed by a country like China, the chances are they aren’t trying to make a quick buck. China has, for a long time, used hacked data and intelligence to curate its disinformation campaigns and domestic propaganda. This is further evidenced by who and what RedAlpha targets – each community directly linked to a mission to unify and strengthen China under the ‘one China policy. These Chinese APTs are not something to brush off as a ‘cyber problem’, because while they may be quite difficult to understand for someone without an IT background, for us in the OSINT, disinformation, and human rights world they represent one of the top steps on the sophistication ladder and are extremely dangerous.
Ultimately, phishing schemes are successful because they use publicly accessible imagery to make them look legitimate. For the untrained eye, a solid logo, company colours, company font, and probable text is enough to be lured into enough false sense of security to click a link. Then, a spoof domain with all the same legitimate aesthetics appears and ‘oh that must have been a legit link, let me just login’. Then, the APT is in the system and could stay there for months, harvesting data from not only your account but everyone in the company. Then, later down the line, those vulnerable people living in China whose PII was ‘secure’ in your servers? They’re now more vulnerable than they ever have been because RedAlpha has fed that information back to the CCP who have handed it over to the PLA.
So, the moral of this story is to not just delete those emails from your cybersecurity or IT teams. Read them, understand them, ask questions if you’re not sure, never click on a link without checking the sender and the link is what they say they are and never log in anywhere without checking the URL first. Oh, and make sure your password is strong – that’s not something IT asks because they want to be annoying. Otherwise, all your hard work to protect people from disinformation, human rights abuses, and real-world harm could be undone in the literal click of a button.
More about Protection Group International's Digital Investigations
PGI’s Social Media Intelligence Analysts combine modern exploitative technology with deep human analytical expertise that covers the social media platforms themselves and the behaviours and the intents of those who use them. Our experienced analyst team have a deep understanding of how various threat groups use social media and follow a three-pronged approach focused on content, behaviour and infrastructure to assess and substantiate threat landscapes.
Disclaimer: Protection Group International does not endorse any of the linked content.