Hacking Group Linked to Suspicious Chinese Army Targets Neighbors: Report


Researchers have identified a link between a suspected hacker group sponsored by the Chinese administration and an army in northwestern China that has threatened cybersecurity in neighboring countries since 2014.

The RedFoxtrot Group is part of Beijing’s cyber-spy activity in collaboration with the PLA Unit 69010, which “is likely interested in gathering information on military technology and defense.” Insikt Group, Research Division of Recorded Future, a US cybersecurity company.

Researchers have found that unit 69010 in Urumqi, the capital of China’s Xinjiang Uygur Autonomous Region, is also likely to have multiple subordinates assigned primarily to monitor military operations along the western border of China.

Disclosure of the connection between RedFoxtrot’s operational infrastructure and the physical address of PLA Unit 69010’s headquarters was a suspicious operational flaw of the RedFoxtrot operator.

In addition, an unnamed operator was found to be associated with the PLA’s former Communications Command Academy in Wuhan.

“Red Foxtrot has focused primarily on aerospace and defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan,” the analysis said.

Heat map
A heatmap of Red Foxtrot activities for Central and South Asia. (Recorded future courtesy)

PLA-linked groups may have hijacked user systems using malware sets commonly used by Chinese cyber espionage groups such as Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare. It is believed that there is also.

During tensions on the Chinese-Indian border, the group was also found to have targeted Indian defense contractors, telecommunications providers, and governmental organizations through network intrusions, the report said.

RedFoxtrot activity overlaps with threat groups tracked by other security vendors such as Temp.Trident and NomadPanda.

President Joe Biden prevents cyberattacks from both national officials and cybercriminals following a hack of a computer system linked to Colonial Pipeline, the top US fuel pipeline operator, on May 12. I signed a presidential order calling for that.

The colonial was temporarily closed on May 7, causing fuel shortages and rising gasoline prices in several states in the United States.

Posted on