Using Recorded Future® Network Intelligence, Insikt Group have identified RedHotel targeting at least 17 countries within Asia, Europe, and North America from 2021 to 2023, across academia, aerospace, government, media, telecommunications, and research and development (R&D) sectors. RedHotel primarily poses a threat to government organizations worldwide, particularly within the Southeast Asia region, as well as private sector companies operating within the highlighted targeted sectors.
"We identified RedHotel employing a multi-tiered infrastructure network for malware command-and-control (C2), reconnaissance, and exploitation, and observed likely administration of this infrastructure from China-based IP addresses geolocating to Chengdu, Sichuan province, China."
Earlier industry findings on RedHotel activity also further corroborate that the group likely operates out of Chengdu. In addition, RedHotel’s targeting purview, tooling, and modus operandi closely resembles the operations of other private contractor groups affiliated with China’s Ministry of State Security (MSS), including other Chengdu-based threat activity groups such as RedGolf (aka APT41, Brass Typhoon).
The well-documented activity of multiple MSS-linked contractors located in Chengdu, several of which have displayed close ties to local universities, provides evidence that the city is likely a hub of MSS-linked cyber talent development and operations (1, 2). Organizations can defend against RedHotel activity by prioritizing hardening and vulnerability patching of internet-facing appliances (particularly corporate VPN, mail server, and network devices), logging and monitoring of these devices, and implementing network segmentation to limit exposure and lateral movement potential to internal networks.
RedHotel activity overlaps with publicly reported activity under the aliases Aquatic Panda (CrowdStrike), BRONZE UNIVERSITY (SecureWorks), Charcoal Typhoon (Microsoft), Earth Lusca (Trend Micro), and Red Scylla (PWC), and was previously tracked by Recorded Future under the temporary group designator TAG-22.
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:
By email:
secretary@iisf.ie
By post:
David Cahill
Information Security
GPO, 1-117
D01 F5P2
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Invitations for Annual Sponsorship of IISF has now reopened.
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more