Cybersecurity experts showed that a Chinese military unit in the province of Xinjiang carried out multiple cyber-espionage campaigns in recent years.
A report by Recorded Future’s Insikt Group states that since 2014, the People’s Liberation Army (PLA) Unit 69010 carried out cyber-espionage campaigns that targeted neighboring countries with the purpose of gathering military intelligence.
The Insikt Group has detected multiple attacks against government and commercial organizations in countries like Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan. The researchers track this threat actor using the RedFoxtrot codename. Some groups’ past campaigns have been documented by other security firm’s different names.
“Notable RedFoxtrot victims over the past 6 months include multiple Indian aerospace and defense contractors; telecommunications companies in Afghanistan, India, Kazakhstan, and Pakistan; and several national and state institutions in the region,” the report said.
“Activity over this [past six-month] period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC).”
The RedFoxtrot group used various malware families, such as IceFog, ShadowPad, Royal Road, PCShare, PlugX, and Poison Ivy. They also utilized web servers to host their payloads and collect stolen information.
The blurring of the lines between state-sponsored and third-party hackers has become more prevalent over the past couple of years. This is due to the re-use of malware strains by different hacking groups and the involvement of contractors hired by the Chinese Ministry of State Security (MSS), researchers noted.
Recorded Future said they were able to make some connections within China’s state-sponsored hacking activity toRedFoxtrot and the PLA Unit 69010 due to a weak operational security measures that one of its hackers had in place.
“Insikt Group is not publicly disclosing the identity of this individual; however, an extensive online presence provided corroborating evidence indicating that this individual is located in Ürümqi, has an interest in hacking, and also has a suspected historical affiliation with the PLA’s former Communications Command Academy (通信指挥学院) located in Wuhan,” the researchers said.
Recently it was reported that PLA Unit 61419 has carried out a campaign that breached over 200 Japanese organizations and individuals since 2016. These attacks were linked by researchers to the Tick advanced persistent threat (APT) group.
Despite the attributions and the number of US indictments linking the PLA to cyber-espionage operations, the PLA is still actively operating its hacking units.