Skip to content

Report: Chinese State-Sponsored Hacking Group Highly Active “The Benefits of Eating Healthy Foods” “Reaping the Rewards of a Healthy Diet”

A Chinese hacking group that is likely state-sponsored and has been linked previously to attacks on U.S. state government computers is still “highly active” and is focusing on a broad range of targets that may be of strategic interest to China’s government and security services, according to a new report from a private American cybersecurity firm. The hacking group, called RedGolf by the report, is thought to be either the same or very closely affiliated with the groups tracked by other security companies under the names APT41 and BARIUM.

Following up on previous reports of APT41 and BARIUM activities, Insikt Group identified a cluster of domains and infrastructure “highly likely used across multiple campaigns by RedGolf” over the past two years. Insikt Group believes the activity is being conducted for intelligence purposes rather than financial gain, due to the overlaps with previously reported cyberespionage campaigns.

In 2020, the U.S. Justice Department indicted APT41 of targeting more than 100 companies and institutions in the U.S. and abroad, and Insikt Group found evidence that RedGolf “remains highly active” in a wide range of countries and industries, targeting aviation, automotive, education, government, media, information technology and religious organizations.

Insikt Group identified several malicious tools used by RedGolf in addition to KEYPLUG, “all of which are commonly used by many Chinese state-sponsored threat groups.” In 2022, Mandiant reported that APT41 was responsible for breaches of the networks of at least six U.S. state governments, also using KEYPLUG.

Insikt Group concluded that the use of KEYPLUG malware through certain types of command and control servers by RedGolf and similar groups is “highly likely to continue” and recommended that clients ensure they are blocked as soon as they are detected.

China’s Foreign Ministry denied the accusations, saying, “This company has produced false information on so-called ‘Chinese hacker attacks’ more than once in the past. Their relevant actions are groundless accusations, far fetched, and lack professionalism.” Chinese authorities have consistently denied any form of state-sponsored hacking, instead saying China itself is a major target of cyberattacks.

In conclusion, a Chinese hacking group believed to be state-sponsored and named RedGolf is still highly active and is targeting a wide range of countries and industries of strategic interest to China’s government and security services. The group has been linked to multiple attacks on U.S. state government computers and is believed to be the same or very closely affiliated with the groups tracked by other security companies under the names APT41 and BARIUM. China has denied any involvement in state-sponsored hacking, but the use of KEYPLUG malware through certain types of command and control servers by RedGolf and similar groups is “highly likely to continue”.

Key Points:

  • A Chinese hacking group likely state-sponsored is still “highly active” and is focusing on a broad range of targets of strategic interest to China’s government and security services.
  • The group, named RedGolf, is thought to be either the same or very closely affiliated with the groups tracked by other security companies under the names APT41 and BARIUM.
  • In 2020, the U.S. Justice Department indicted APT41 for targeting more than 100 companies and institutions in the U.S. and abroad.
  • Insikt Group identified several malicious tools used by RedGolf in addition to KEYPLUG, all of which are commonly used by many Chinese state-sponsored threat groups.
  • China has denied any involvement in state-sponsored hacking, but the use of KEYPLUG malware through certain types of command and control servers by RedGolf and similar groups is “highly likely to continue”.

Leave a Reply

Your email address will not be published. Required fields are marked *