A US Cyber Security firm known as the Recorded Future in a study has revealed the worrisome dimension of increasing cyber espionage and intelligence collection activities as also cyber-attacks on critical infrastructures by a group identified as RedFoxtrot, which is linked with the PLA Unit 69010.
The specialised cyber-attack Unit 69010 of the PLA, prior to reorganisation in 2015, was known as the Lanzhou Military Region’s Second Technical Reconnaissance Bureau and now it has been incorporated into the Network Systems Department of the PLA’s Strategic Support Force (SSF). The Unit 69010 has also absorbed the PLA General Staff Department’s (GSD) Third Department (3PLA)- a broadly defensive SIGINT entity, whose responsibilities included monitoring Chinese communication networks, protecting the security of Chinese domestic computer networks, and conducting cyber espionage-oriented computer network exploitation. The report states that the Unit 69010 is the Military Unit Cover Designator of Second Technical Reconnaissance Bureau (MUCD). This is located at the sprawling complex in Ürümqi, Xinjiang. The unit has emerged as the most important cyber-attack entity in the PLA.
The Unit 69010 uses multiple groups for cyber-attacks and cyber espionage. This unit also has multiple subordinate offices primarily responsible for monitoring military activity along China’s western border. One of the groups is identified as the RedFoxtrot, which targeting India’s governmental organisation and critical infrastructures. Besides RedFoxtrot, other prominent groups involved in the cyber espionage activities of the PLA are Tonto Team, Tick, and Naikon. The activities of RedFoxtrot have been observed, which is perhaps the most active cyber-attack group of the PLA currently.
Crucially, the report concludes that ‘the PLA affiliated groups remain prominent in the cyber espionage sphere despite increased attention on their Ministry of State Security (MSS), the Chinese external intelligence agency.’ This suggests that while both PLA and MSS have escalated their activities, the PLA affiliated groups are more active. This assumes a great significance in view of our continued standoff at the and border.
The RedFoxtrot is active since the formation of the SSF and is mainly focussing on India and other neighbouring countries in this region. It is targeting multiple networks of India’s defence, telecommunications, mining and research organisations, including several aerospace and defence contractors. This group is reported to be maintaining a large operational infrastructure. It employs “both bespoke and publicly available malware families commonly used by Chinese cyber espionage groups, including Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare.”
Importantly, it was noted that the RedFoxtrot heavily targeted Indian defence contractors, telecommunications providers, and government organisations at a time of heightened tension between China and India since 2020. The report also noted that another group RedEcho was also targeting India’s critical infrastructures.
The study reveals how Beijing is using the cyber space as a tool for gathering intelligence on military technology and national security issues as well as political developments and foreign relations. In March, Cert-In had identified a China linked group conducting an espionage campaign against the transport sector. Earlier, a China linked firm was reported to have collected big data from India for analysis. It is well known that China is aggressively launching especially designed influence operations on selected targets to get their favourable response for China.
The study of Recorded Future deserves attention of the policy makers dealing with the cyber security. The study points out how the RedFoxtrot has attacked the Indian critical infrastructure and the government organisations. It is ‘likely to have gained access to the ShadowPad backdoor’. Urgent steps are needed to examine in depth the modus operandi of the Chinese cyber-attack groups under the Unit 69010 and take immediately steps to plug our vulnerabilities.
Views expressed above are the author’s own.
END OF ARTICLE