A series of cyber espionage operations, tracing back to 2014 and primarily aimed at acquiring sensitive defense information from neighboring nations, have been attributed to a Chinese military intelligence unit. A comprehensive report released this week by Massachusetts-based Recorded Future reveals connections between a group known as RedFoxtrot and the People’s Liberation Army (PLA) Unit 69010 located in Ürümqi, the capital of the Xinjiang Uyghur Autonomous Region.
The affiliation between RedFoxtrot and PLA Unit 69010 is underscored by what researchers describe as “lax operational security measures” observed in a suspected RedFoxtrot operator. This individual’s online activity inadvertently revealed the physical location of the reconnaissance bureau and indicated past associations with the PLA’s former Communications Command Academy in Wuhan.
RedFoxtrot is known to target critical sectors, including government, defense, and telecommunications, across Central Asia, India, and Pakistan. Recent months have witnessed breaches involving three Indian aerospace and defense firms, alongside significant telecom providers and governmental organizations in Afghanistan, India, Kazakhstan, and Pakistan. The activities became particularly pronounced during heightened border tensions between India and the People’s Republic of China.
Attacks executed by this adversary utilized a diverse range of tools frequently utilized by Chinese cyber espionage factions. Among these are PlugX, Royal Road RTF weaponizer, QUICKHEAL, PCShare, IceFog, and Poison Ivy RAT. The infrastructure associated with these operations also showcased the deployment of AXIOMATICASYMPTOTE, which includes a modular Windows backdoor named ShadowPad, previously linked to APT41 and subsequently shared among various state-sponsored actors.
Analysis of domain registrations by RedFoxtrot, such as “inbsnl.ddns[.]info” and “adtl.mywire[.]org,” suggests a focus on Indian entities, specifically the telecom provider Bharat Sanchar Nigam Limited (BSNL) and Alpha Design Technologies Limited (ADTL), which specializes in missile, radar, and satellite system R&D. These activities are a continuation of China-linked incursions in India, with recent revelations about another threat group, RedEcho, which targeted critical infrastructure that included power plants operated by the National Thermal Power Corporation and additional entities in New Delhi.
In light of these findings, the tactics employed by the RedFoxtrot group can be mapped to various tactics defined by the MITRE ATT&CK framework, including initial access, which is likely achieved through phishing or exploitation of public-facing applications, and persistence through the use of backdoors. Further techniques likely utilized include privilege escalation to gain deeper access within targeted networks, as well as exfiltration practices to siphon sensitive information away from compromised systems.
As organizations continue to contend with the evolving threat landscape, vigilance and robust security measures remain paramount in protecting critical infrastructure and sensitive data from state-sponsored adversaries.
