Insikt Group Reveals RedNovember Attacks On Governments & Other Organizations

The cat-and-mouse game against hackers continues, as a report from an online security group alleges that a state-sponsored attack intended for espionage has been ongoing for over a year. Beyond these alarming attacks, the methodology and timeline used paint a disturbing picture of vulnerability.

Recorded Future reported that its research division, Insikt Group, has been monitoring cyber-espionage activities. Initially called TAG-100, the threat targets government institutions and other high-profile organizations worldwide. It was also a persistent and ongoing attack, as these were detected for more than a year (June 2024-July 2025). These activities were suspected to be the work of Chinese state-sponsored hackers.

Code Name RedNovember

The research group updated their designation for these hackers as RedNovember, with their attacks reaching far and wide:

“...victims, which include a ministry of foreign affairs in central Asia, a state security organization in Africa, a European government directorate, and a Southeast Asian government. RedNovember also likely compromised at least two United States (US) defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia.”

Their purpose for these attacks is fairly simple - they are looking to extract important sensitive information from their government targets, access to other sensitive data and processes, and even influence data to their advantage.

Aside from their straightforward purpose of attacking institutions, their target exploit starts on edge devices that immediately interact with basic services and does not require a server response. Security protocols implemented in these institutions, such as VPNs and firewalls, are also targeted.

Lowered Barrier of Entry and Faster Response to Exposed Vulnerability

These allegedly state-sponsored attacks have been persistent, dangerous, and far-reaching simply because of the available tools. Hackers have used Pantegana and SparkRAT - two open-source tools that simplify attacks due to the minimal expertise required.

Aside from the danger that it increases the number of potential threats, open source tools are often not flagged. In previous years, attacks had to be made using custom-made tools, which could be easily detected since security protocols are built to flag any unknown activities conducted within the network. These security concerns are exacerbated by the fact that exploits found in the system can be attacked in as little as 72 hours from the time they are discovered.

Hackers also hide their identity from potential tracing as they hide their IP address through VPNs. According to their July 2024 report, IP addresses connected with ExpressVPN were used to hide their identity.

Firmware Vulnerability and the Need for Beefed Up Security

According to Eclypsium, these attacks are not just your run of the mill hacking for espionage purposes. Aside from their use of efficient tools that do not require extensive technical expertise, these attacks also highlight the fundamental problem on edge and other network devices: old frameworks and its lack of transparency for updating its security features:

“Even if you think you’ve eradicated an attacker’s presence, compromised firmware can provide a pathway back in. In the case of network devices, the pre-installed operating system behaves like firmware in that it is not user-facing and is minimally visible to the end user, making it challenging to protect.”

Ultimately, network security experts are faced with a challenge to protect their network with an increasing threat especially on those dealing with sensitive transactions. Additional security protocols, active monitoring of edge and externally facing devices and limited exposure to outside interactions have to be prioritized in preventing these types of attacks.