Chinese Hackers Group “RedFoxtrot” Attacking Asian Countries Aerospace and Defense Networks

The research team of the Insikt Group of the information security company Recorded Future has recently recognized a connection between the hacker group RedFoxtrot and the People’s Liberation Army of China.

But, in particular with the Unit 69010 unit operating from Urumqi, the administrative center of the Xinjiang Uygur Autonomous Region. 

Thinking about Unit 69010? It is the Military Unit Cover Designator of the Second Technical Reconnaissance Bureau (MUCD). A structure within the SSF (Strategic Support Force) under the China Network Systems Department.

A recent US report has revealed that the Chinese hackers of the RedFoxtrot group have been targeting Indian defense agencies, Aerospace networks, other companies in India, and many other organizations in several Asian countries for almost six months.

While the US cybersecurity firm, Recorded Future had also issued a similar report in March this year before the fire broke out in Beijing, and in that report, they specified the RedEcho. 

The report claims that the Chinese hacker group called ‘RedEcho’ targeted all the power departments of the country, including NTPC, India’s largest power company.

Affected countries and sectors

RedFoxtrot attacks are focused on the government, telecommunications, and defense sectors in Central Asia, India, and Pakistan.

In the past six months, the RedFoxtrot Group has attacked three Indian aerospace and defense entrepreneurs. And not only that even it has also as well as telecommunications companies and government agencies in Afghanistan, India, Kazakhstan, and Pakistan.

Malware used

The malware used by the hacker of this group in their campaigns is linked to Chinese stat-sponsored hacking groups, and here is the list of malware used is mentioned below:-

• IceFog
• PlugX
• RoyalRoad (RTF)
• Poison Ivy (RAT)
• ShadowPad
• QUICKHEAL
• PCShare

RedFoxtrot’s Connection to PLA Unit 69010

The RedFoxtrot Group has been active since at least 2014, targeting government, security, and telecommunications sectors across Central Asia, India, and Pakistan in a manner consistent with the possible operational scope of Unit 69010.

The security researchers claimed that through the online activities of a surmised RedFoxtrot threat actor, the links between the RedFoxtrot’s operational infrastructure and PLA Unit 69010 was recognized by the Insikt Group.

Apart from this, the analysts at Insikt Group have managed to unveil the physical address of PLA Unit 69010 headquarters (No. 553, Wenquan East Road, Shuimogou District, Urumqi, Xinjiang).

And all this becomes possible due to the weak security measures that are exercised by the members of this unit’s Operational Security (OpSec).

Mapping RedFoxtrot’s Sprawling Infrastructure

Moreover, all the associated malware samples used by the hackers in their active interventions over the past 6 months, and a large batch of RedFoxtrot infrastructure has been detected by the Insikt Group by the Network Traffic Analysis (NTA) of Recorded Future.

Researchers have also reported the high-level trends in the group’s TTPs, and here they are mentioned below:-

• DDNS domains are used in extensive amount.
• Often the hints regarding geographical targeting are included in DDNS domains.
• In recent times the DigitalOcean and Choopa are mainly used as primary hosting providers.
• AXIOMATICASYMPTOTE infrastructure is also used.

Mitigations

• Properly configure the IDS, IPS, and network defense mechanisms.
• You have to block and log all the TCP/UDP network traffic that involve DDNS subdomains.
• Implement ronust security mechanisms and security tools to monitor real-time output from NTA, and detect any suspected intrusion activities.
• Mak sure to keep Microsoft Office and Windows software updated with the latest updates.

While Christopher Ahlberg, the CEO and Co-Founder of Recorded Future affirmed:-

“The recent activity of the People’s Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape.” 

“The persistent and pervasive monitoring and collection of intelligence is crucial in order to disrupt adversaries and inform an organization or government’s security posture.”

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.