Saturday, July 13, 2024

Chinese Hackers Group “RedFoxtrot” Attacking Asian Countries Aerospace and Defense Networks

The research team of the Insikt Group of the information security company Recorded Future has recently recognized a connection between the hacker group RedFoxtrot and the People’s Liberation Army of China.

But, in particular with the Unit 69010 unit operating from Urumqi, the administrative center of the Xinjiang Uygur Autonomous Region. 

Thinking about Unit 69010? It is the Military Unit Cover Designator of the Second Technical Reconnaissance Bureau (MUCD). A structure within the SSF (Strategic Support Force) under the China Network Systems Department.

A recent US report has revealed that the Chinese hackers of the RedFoxtrot group have been targeting Indian defense agencies, Aerospace networks, other companies in India, and many other organizations in several Asian countries for almost six months.

While the US cybersecurity firm, Recorded Future had also issued a similar report in March this year before the fire broke out in Beijing, and in that report, they specified the RedEcho. 

The report claims that the Chinese hacker group called ‘RedEcho’ targeted all the power departments of the country, including NTPC, India’s largest power company.

Affected countries and sectors

RedFoxtrot attacks are focused on the government, telecommunications, and defense sectors in Central Asia, India, and Pakistan.

In the past six months, the RedFoxtrot Group has attacked three Indian aerospace and defense entrepreneurs. And not only that even it has also as well as telecommunications companies and government agencies in Afghanistan, India, Kazakhstan, and Pakistan.

Malware used

The malware used by the hacker of this group in their campaigns is linked to Chinese stat-sponsored hacking groups, and here is the list of malware used is mentioned below:-

  • IceFog
  • PlugX
  • RoyalRoad (RTF)
  • Poison Ivy (RAT)
  • ShadowPad
  • PCShare

RedFoxtrot’s Connection to PLA Unit 69010

The RedFoxtrot Group has been active since at least 2014, targeting government, security, and telecommunications sectors across Central Asia, India, and Pakistan in a manner consistent with the possible operational scope of Unit 69010.

The security researchers claimed that through the online activities of a surmised RedFoxtrot threat actor, the links between the RedFoxtrot’s operational infrastructure and PLA Unit 69010 was recognized by the Insikt Group.

Apart from this, the analysts at Insikt Group have managed to unveil the physical address of PLA Unit 69010 headquarters (No. 553, Wenquan East Road, Shuimogou District, Urumqi, Xinjiang).

And all this becomes possible due to the weak security measures that are exercised by the members of this unit’s Operational Security (OpSec).

Mapping RedFoxtrot’s Sprawling Infrastructure

Moreover, all the associated malware samples used by the hackers in their active interventions over the past 6 months, and a large batch of RedFoxtrot infrastructure has been detected by the Insikt Group by the Network Traffic Analysis (NTA) of Recorded Future.

Researchers have also reported the high-level trends in the group’s TTPs, and here they are mentioned below:-

  • DDNS domains are used in extensive amount.
  • Often the hints regarding geographical targeting are included in DDNS domains.
  • In recent times the DigitalOcean and Choopa are mainly used as primary hosting providers.
  • AXIOMATICASYMPTOTE infrastructure is also used.


  • Properly configure the IDS, IPS, and network defense mechanisms.
  • You have to block and log all the TCP/UDP network traffic that involve DDNS subdomains.
  • Implement ronust security mechanisms and security tools to monitor real-time output from NTA, and detect any suspected intrusion activities.
  • Mak sure to keep Microsoft Office and Windows software updated with the latest updates.

While Christopher Ahlberg, the CEO and Co-Founder of Recorded Future affirmed:-

“The recent activity of the People’s Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape.” 

“The persistent and pervasive monitoring and collection of intelligence is crucial in order to disrupt adversaries and inform an organization or government’s security posture.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles