Chinese Hacker Group RedFoxtrot of PLA unit 69010 targets India and Bordering Asian Countries

Even when China and India are engaged in Border Standoff. Chinese PLA unit is doing covert tactics to target the establishment of India. This proves that Chinese hackers are state sponsored and are supported by PLA. Not only this grouped aimed at only India but are actively targeting Nepal, Taiwan, Bhutan, Singapore and other SAARC countries.

Recorded Future in their investigation has linked the group to People Liberation Army PLA unit 69010 which is located in Ürümqi, Xinjiang. The recorded future in their report specified “Unit 69010 is likely the Military Unit Cover Designator (MUCD) for a Technical Reconnaissance Bureau (TRB) within the PLA Strategic Support Force (SSF) Network Systems Department (NSD), an information and cyber warfare branch of the PLA. Due to lax operational security measures employed by a suspected RedFoxtrot operator, Insikt Group linked the threat group to the physical address of Unit 69010’s headquarters. Publicly available procurement and court documents further tied Unit 69010 both to this address and to the SSF. Multiple academic publications also support the hypothesis that this unit has a cyber mission”.

Redfoxtrot has been active since 2014 and targets government, defense, and telecommunications sectors of SAARC countries. The aim of the group is to steal the sensitive data and disrupt the telecommunication channel.

The following conclusions has been drawn by the recorded future

Formerly known as the Lanzhou Military Region‘s Second Technical Reconnaissance Bureau, PLA Unit 69010 has very likely been incorporated into the Network Systems Department of the PLA-SSF following a 2015 restructure.

We believe that RedFoxtrot is a Chinese state-sponsored threat activity group based on identified links to a specific PLA unit and the use of shared custom capabilities considered unique to Chinese cyber espionage groups.

In 2020, RedFoxtrot, alongside multiple other PLA and MSS-affiliated threat groups, likely gained access to the ShadowPad backdoor.

In the aftermath of the 2015 restructuring, activity linked to previously tracked PLA-affiliated cyber espionage groups has declined, likely due to old activity groups disbanding or merging to form new clusters. With continued activity from suspected PLA groups such as Tonto Team, Tick, Naikon, and RedFoxtrot, and the emergence of new Chinese threat activity groups with suspected PLA links, Insikt Group believes that PLA-affiliated groups remain prominent within the Chinese cyber espionage sphere despite increased attention on their MSS counterparts.

It can be concluded the Chinese PLA has created multiple hackers groups for each specific country and used them to perform cyberespionage against them. They are using these groups to gain leverage against the countries. The Mitre Attack mapping of techniques used by the RedFoxtrot group

Security analysts can monitor the above technique and look for Chinese Threat actors in their environment.