Cyberespionage campaigns by Chinese state-sponsored actors disrupted operations of several organizations globally. After targeting Indian organizations in the power sector earlier this year (RedEcho), the Chinese state actors are now targeting multiple sectors bordering China’s Western Theatre Command notably India, Pakistan, and Central Asia. Cybersecurity experts from Recorded Future uncovered a cybercriminal group, dubbed RedFoxtrot, targeting aerospace, defense, government, telecommunications, mining, and research organizations in Afghanistan, Kazakhstan, Kyrgyzstan, Pakistan, India, Tajikistan, and Uzbekistan.
Recorded Future suspects specific ties between RedFoxtrot cybercriminal activities and the Chinese military-intelligence apparatus, the People’s Liberation Army (PLA) Unit 69010 within the Strategic Support Force (SSF). RedFoxtrot maintains a huge operational infrastructure and leverages publicly available malware families including Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare.
Key Findings
- Active since 2014, RedFoxtrot predominantly targeted multiple sectors in Asia by aligning with the operational remit of PLA Unit 69010.
- RedFoxtrot maintains large amounts of operational infrastructure and has likely employed both bespoke and publicly available malware families commonly used by Chinese cyberespionage groups.
- RedFoxtrot activity overlaps with threat groups tracked by other security vendors such as Temp.Trident and Nomad Panda.
- It is assessed with high confidence that RedFoxtrot is a Chinese state-sponsored threat activity group based on identified links to a specific PLA unit and the use of shared custom capabilities considered unique to Chinese cyberespionage groups.
Cybersecurity experts have uncovered evidence that interconnects several multi-year and sprawling cyber-espionage campaigns to a Chinese military unit operating out of the city of Ürümqi in China’s western province of Xianjing https://t.co/yiw3vrcf9I
— The Record by Recorded Future (@TheRecord_Media) June 16, 2021
“The recent activity of the People’s Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape. The persistent and pervasive monitoring and collection of intelligence is crucial to disrupt adversaries and inform an organization or government’s security posture,” said Dr. Christopher Ahlberg, CEO, and Co-Founder, Recorded Future.
RedFoxtrot Focuses on India
Researchers from Recorded Future stated that the cyber operations of RedFoxtrot are more focused on Indian organizations.
“Activity over the past six-month period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC). Notable RedFoxtrot victims over the past six months include multiple Indian aerospace and defense contractors; telecommunications companies in Afghanistan, India, Kazakhstan, and Pakistan; and several national and state institutions in the region,” the researchers said.
Addressing a media briefing today, Jon Condra, Director, Strategic and Persistent Threats at Recorded Future said, “One of the characteristics of RedFoxtrot is that they make heavy use of Dynamic DNS (DDNS) domains that often contain hints regarding geographical targeting or spoof specific organizations. Some examples are Indian telecom provider – BSNL (inbsnl.ddns.info), Indian defense contractor and electronics manufacturer – Advanced Design Technologies (adtl.mywire.org), and Indianmail.zyns.com.”
Earlier, a China-linked threat actors group, dubbed RedEcho, targeted 12 Indian organizations, 10 of which were in the power sector. Researchers uncovered a subset of the servers that shared some common tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups.