Recorded Future, the world’s largest provider of intelligence for enterprise security, has said that suspected Chinese state-sponsored hackers targeted Indian telecom companies including Bharat Sanchar Nigam Ltd. and aerospace and defence contractors.
RedFoxtrot, the suspected Chinese state-sponsored threat activity group, targeted several government and non-governmental assets in Central and South Asia for cyber espionage, according to Insikt Group, Recorded Future’s threat research division.
Apart from BSNL, the other Indian company targeted was Alpha Design Technologies, a Bengaluru-based manufacturer and provider of technological services to India’s defence and paramilitary sector, it said.
Insikt Group said it found specific links between RedFoxtrot’s activities and the People’s Liberation Army (PLA) Unit 69010, China’s military intelligence apparatus within the Strategic Support Force (SSF). This offered a glimpse into the SSF’s operations since the PLA was restructured in 2015.
RedFoxtrot has been active since 2014 and has targeted aerospace and defence, government, telecommunications, mining, and research organisations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan and Uzbekistan, aligning with the operational remit of PLA Unit 69010.
According to the report, Indian defence contractors were heavily targeted after the border tensions between India and China escalated in 2020.
Recorded Future reported in March that cyberattacks by Chinese group RedEcho were targeted at 10 Indian power sector assets including state-run NTPC and Power System Operation Corporation Ltd., two ports, oil and gas assets and the Indian Railways.
“RedEcho was industry-specific, focussed on Indian energy sector like power plants. It was a kind of prepositioning for future cyber espionage and attacks. However, RedFoxtrot is not just limited to one country or one industry,” said a senior official of Recorded Future.
The report said RedFoxtrot maintains large amounts of operational infrastructure and possibly employed both bespoke and publicly available malware families commonly used by Chinese cyber espionage groups. RedFoxtrot activity overlaps with threat groups tracked by other security vendors such as Temp.Trident and Nomad Panda, it said.
“The recent activity of the People’s Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape. The persistent and pervasive monitoring and collection of intelligence is crucial in order to disrupt adversaries and inform an organisation or government’s security posture,” said Christopher Ahlberg, chief executive officer and cofounder of Recorded Future. Moneycontrol