RedFoxtrot operations linked to China’s PLA Unit 69010 due to bad opsec

Experts attribute a series of cyber-espionage campaigns dating back to 2014, and focused on gathering military intelligence, to China-linked Unit 69010.

Experts from Recorded Future’s Insikt Group linked a series of attacks, part of RedFoxtrot China-linked campaigns, to the PLA China-linked Unit 69010

The cyber-espionage campaigns dated back 2014 and focused on gathering military intelligence from neighboring countries were attributed to a Chinese military unit operating out of the city of Ürümqi in the province of Xinjiang.

According to a report released today by Recorded Future’s Insikt Group, the People’s Liberation Army (PLA) Unit 69010 is believed to have been behind a series of cyber-espionage campaigns dating back to 2014 that have focused on gathering military intelligence from neighboring countries.

“RedFoxtrot has primarily targeted aerospace and defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan. These targets suggest the group is likely interested in gathering intelligence on military technology and defense” reads the report published by the Insikt Group.

Insikt Group tracked the threat actors behind the campaigns as RedFoxtrot threat actor, the cyberspies targeted government, defense, and telecommunications sectors across Central Asia, India, and Pakistan,

“Activity over this period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC).” continues the report.

Experts noticed that RedFoxtrot activity overlaps with groups tracked by other security firms as Temp.Trident and Nomad Panda. The threat actors behind the RedFoxtrot operations employed both custom malware and publicly available malicious code. The arsenal of the group included malware employed in campaigns linked to Chinese cyber espionage groups, including Icefog, PlugX, RoyalRoad, Poison Ivy, ShadowPad, and PCShare.

Insikt researchers linked Chinese nation-state activity to RedFoxtrot and PLA Unit 69010 due to the lax operational security (OpSec) of one of the members of the group behind the long-running campaign.

“Due to lax operational security measures employed by this individual, we uncovered a connection to the likely physical address of the headquarters of PLA Unit 69010, No. 553, Wenquan East Road, Shuimogou District, Ürümqi, Xinjiang (新疆乌鲁木齐市水磨沟区温泉东路553 号).” states the report. “Insikt Group is not publicly disclosing the identity of this individual; however, an extensive online presence provided corroborating evidence indicating that this individual is located in Ürümqi, has an interest in hacking, and also has a suspected historical affiliation with the PLA’s former Communications Command Academy1 (通信指挥学院) located in Wuhan.”

The researchers reported that in 2020, RedFoxtrot, alongside multiple other PLA and MSS-affiliated nation-state groups, likely gained access to the ShadowPad backdoor.

“With continued activity from suspected PLA groups such as Tonto Team, Tick, Naikon, and RedFoxtrot, and the emergence of new Chinese threat activity groups with suspected PLA links, Insikt Group believes that PLA-affiliated groups remain prominent within the Chinese cyber espionage sphere despite increased attention on their MSS counterparts.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Unit 69010)

[adrotate banner=”5″]

[adrotate banner=”13″]