A private American cybersecurity company said in a new report Thursday that a Chinese hacking group that is “highly active” and is focusing on a wide range of targets that may be of strategic interest to China’s government and security services is still likely state-sponsored and has previously been linked to attacks on U.S. state government computers.
According to Jon Condra, director of strategic and persistent threats for Insikt Group, the threat research division of Massachusetts-based cybersecurity company Recorded Future, the hacking group known as RedGolf in the report shares such close overlap with groups tracked by other security companies under the names APT41 and BARIUM that it is believed they are either the same or very closely affiliated.
A cluster of domains and infrastructure that were “most likely used throughout many campaigns by RedGolf” during the preceding two years, according to Insikt Group, was discovered after investigating prior allegations of APT41 and BARIUM operations and keeping an eye on the targets that were attacked.
Condra responded to inquiries from The Associated Press via email, saying that given the overlaps with prior documented cyber espionage activities, “we believe this action is likely being performed for intelligence goals rather than financial gain.”
China’s Foreign Ministry refuted the allegations, stating that “this company has repeatedly given incorrect information about ‘Chinese hacking attacks’ in the past.
Their appropriate behavior is amateurish, implausible, and based on baseless claims.
Chinese authorities routinely deny that any type of hacking is state-sponsored and instead assert that their country is a significant target of cyberattacks.
2020 U.S. intelligence report implicated APT41. Chinese hackers were charged in a Justice Department indictment for allegedly targeting more than 100 businesses and organizations both domestically and internationally, including colleges, social media and video game developers, and telecommunications corporations.
According to the analysis done by Insikt Group, RedGolf “remains highly active” in a variety of nations and businesses, “targeting aviation, automobile, education, government, media, information technology, and religious organizations.”
RedGolf’s exact victims were not named by Insikt Group, but it claimed to be able to monitor scanning and exploitation attempts against various sectors using a variant of the KEYPLUG backdoor malware that APT41 also employed.
In addition to KEYPLUG, Insikt claimed to have discovered many more malicious tools used by RedGolf, “all of which are frequently utilized by several Chinese state-sponsored threat groups.”
According to the cybersecurity company Mandiant, APT41 used KEYPLUG to access the networks of at least six U.S. state governments in 2022.
According to Mandiant, a company now purchased by Google, APT41, in that instance, exploited a previously unidentified weakness in a commercial off-the-shelf web program used by 18 states for managing animal health.
It made no mention of which states’ systems were compromised.
Mandiant described APT41 as “a prominent cyber threat group that engages in financially driven operations that may be outside of state control in addition to Chinese state-sponsored espionage activity.”
Condra stated that APT41, BARIUM, and RedGolf “likely refer to the same set of threat actor(s)” due to similarities in their online infrastructure, tactics, techniques, and procedures.
Cyber intelligence companies use different tracking methodologies and frequently name the threats they identify differently.
RedGolf is a highly active Chinese state-sponsored threat actor outfit that has probably been attacking a variety of global companies for many years, he claimed.
The group has a history of creating and utilizing a wide variety of proprietary malware families, and it has demonstrated the capacity to weaponize freshly revealed vulnerabilities quickly.
RedGolf and other groups are “very likely” to continue using KEYPLUG malware through specific sorts of command and control servers, according to Insikt Group, who advised clients to make sure they are banned as soon as they are discovered.