The China-backed hacking group referred to as RedHotel has been linked to attacks in 17 countries during a three-year espionage campaign. According to cybersecurity firm Recorded Future, RedHotel has been infiltrating sectors such as academia, aerospace, government, media, telecoms, and research while operating across the US, Europe, and Asia.
Since at least 2019, RedHotel has exemplified a relentless scope and scale of wider state-sponsored cyber-espionage activity by maintaining a high operational tempo and targeting public and private sector organizations globally. The China-backed group often uses unique bespoke malware. Another aspect of RedHotel’s modus operandi is the use of a multi-tiered infrastructure, each focusing on initial reconnaissance and long-term network access via command-and-control servers, mainly using NameCheap for domain registration. Its campaigns also include innovations such as exploiting a stolen code signing certificate to take control of Vietnamese government infrastructure.
“RedHotel has a dual mission of intelligence gathering and economic espionage. It targets both government entities for traditional intelligence and organizations involved in COVID-19 research and technology R&D,” says Recorded Future.
The group is also observed to have been involved in wider Chinese state-sponsored cyber espionage. While the China-backed group is being tracked under the name RedHotel, it has previously been identified as Threat Activity Group-22 (or TAG-22), overlapping with Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, and Red Scylla (or Red Dev 10).
Early last year, cybersecurity firm Trend Micro described the group as “a highly-skilled and dangerous threat actor mainly motivated by cyber espionage and financial gain.”
RedHotel’s tactics, techniques, and procedures (TTPs) are reported to be similar to those employed by other contractor groups linked to China’s Ministry of State Security (MSS), making it likely that the group’s main operations are located in the city of Chengdu. With a population of 21 million, it is the fourth-largest urban conurbation in China and is well-known as a center for hacking operations. This places the group well outside any possible jurisdiction from the US or Europe, meaning that the RedHotel hackers can currently carry on spying with impunity.
Aside from the security implications, there is a growing threat to the West’s long-standing technological lead over China. Industrial espionage, of the kind routinely carried out by the RedHotel group, enables China to benefit from the billions of dollars in research and development invested by Western corporations and countries. China’s theft of highly valuable intellectual property already includes technology involving military hardware in addition to commercial technology such as the design and manufacture of gas and steam turbines.