Suspected Chinese Army-Linked Hacking Group Targeted Neighboring Countries: Report

By Rita Li
Rita Li
Rita Li
Rita Li is a reporter with The Epoch Times, focusing on China-related topics. She began writing for the Chinese-language edition in 2018.
July 7, 2021 Updated: July 7, 2021

Researchers have identified links between a suspected Chinese regime-sponsored hacker group and a military unit in northwest China, which has been threatening cybersecurity in neighboring countries since 2014.

The RedFoxtrot group is part of Beijing’s cyber espionage efforts tied with the People’s Liberation Army (PLA) Unit 69010, which is “likely interested in gathering intelligence on military technology and defense,” according to a June report by the Insikt Group, a research division under U.S. cybersecurity company Recorded Future.

Unit 69010, located in Urumqi, capital of China’s Xinjiang region, also likely has multiple subordinates primarily assigned to observe military activities along China’s western border, researchers found.

It was the operational defects of a suspected RedFoxtrot operator that disclosed the connection between RedFoxtrot’s operational infrastructure and the physical address of the headquarters of the PLA Unit 69010.

Moreover, the unnamed operator was detected to be associated with the PLA’s former Communications Command Academy in Wuhan.

“RedFoxtrot has primarily targeted aerospace and defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan,” said the analysis.

Heatmap
Heat map of RedFoxtrot activity targeting Central and South Asia. (Courtesy of Recorded Future)

The PLA-linked group is also thought to have likely employed malware sets commonly used by Chinese cyber espionage groups, including Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare, to hijack user systems.

During the border tension between China and India, the group was also found to have targeted Indian defense contractors, telecommunications providers, and government organizations through network intrusions, said the report.

RedFoxtrot activity overlaps with threat groups tracked by other security vendors as Temp.Trident and Nomad Panda.

President Joe Biden signed an executive order on May 12 seeking to prevent cyberattacks from both nation-state actors and cybercriminals, following a hack of computer systems linked to top U.S. fuel pipeline operator Colonial Pipeline.

Colonial temporarily shut down on May 7, which triggered fuel shortages and increased gasoline prices across multiple U.S. states.

Rita Li
Rita Li
Rita Li is a reporter with The Epoch Times, focusing on China-related topics. She began writing for the Chinese-language edition in 2018.