Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries

Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries

insikt-logo-blog.png
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report profiles a suspected Chinese state-sponsored threat activity group, RedFoxtrot, with links to PLA Unit 69010. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. Data sources include the Recorded Future Platform, SecurityTrails, DomainTools, PolySwarm, Farsight, and common open-source tools and techniques. The report will be of most interest to individuals engaged in strategic and operational intelligence relating to the activities of Chinese military intelligence units in cyberspace and network defenders with a presence in Central or South Asia.

Executive Summary

Recorded Future’s Insikt Group has identified ties between a suspected Chinese state-sponsored threat activity group we track as RedFoxtrot and the Chinese military intelligence apparatus, specifically People’s Liberation Army (PLA) Unit 69010 located in Ürümqi, Xinjiang. This activity offers a glimpse into PLA operations following a major organizational restructure beginning in 2015 and follows a period where public reporting has largely concentrated on groups affiliated with China's Ministry of State Security (MSS).

Unit 69010 is likely the Military Unit Cover Designator (MUCD) for a Technical Reconnaissance Bureau (TRB) within the PLA Strategic Support Force (SSF) Network Systems Department (NSD), an information and cyber warfare branch of the PLA. Due to lax operational security measures employed by a suspected RedFoxtrot operator, Insikt Group linked the threat group to the physical address of Unit 69010’s headquarters. Publicly available procurement and court documents further tied Unit 69010 both to this address and to the SSF. Multiple academic publications also support the hypothesis that this unit has a cyber mission.

RedFoxtrot has been active since at least 2014 and predominantly targets government, defense, and telecommunications sectors across Central Asia, India, and Pakistan, aligning with the likely operational remit of Unit 69010. Of particular note, within the past 6 months, Insikt Group detected RedFoxtrot network intrusions targeting 3 Indian aerospace and defense contractors; major telecommunications providers in Afghanistan, India, Kazakhstan, and Pakistan; and multiple government agencies across the region. RedFoxtrot maintains large amounts of operational infrastructure and has likely employed both bespoke and publicly available malware families commonly used by Chinese cyber espionage groups, including Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare. RedFoxtrot activity overlaps with threat groups tracked by other security vendors as Temp.Trident and Nomad Panda.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.