China-Backed Hackers RedFoxtrot Targeted Defence Research In India

(This was originally posted in The Print by Regina Mihindukulasuriya)

New Delhi: A Chinese state-backed hacker group is targeting Indian defence research and other Indian organizations, according to the latest research from an American cybersecurity firm. In a report released on 16 June, cybersecurity firm Recorded Future, headquartered near Boston, said it found links between a “suspected” Chinese state-sponsored threat activity group and the People’s Liberation Army’s Unit 69010, a Chinese military intelligence unit.

“The unit (69010) also likely has multiple subordinate offices primarily responsible for monitoring military activity along China’s western border,” the report said. Recorded Future has nicknamed the hacker group ‘RedFoxtrot’. The same cybersecurity firm had in March said another China-linked hacker group, nicknamed ‘RedEcho’, was targeting India’s power sector, including state-owned NTPC, India’s largest energy conglomerate. RedFoxtrot has been active since at least 2014, according to Recorded Future. The hacker group’s predominant targets are sectors like government, defence, and telecommunications across Central Asia, India, and Pakistan.

Within the past six months, Recorded Future research detected RedFoxtrot targeting “3 Indian aerospace and defense contractors; major telecommunications providers in Afghanistan, India, Kazakhstan, and Pakistan; and multiple government agencies across the region”, the report said. The report, however, does not mention the names of the targeted organisations. ThePrint emailed Recorded Future for more details of the target, but is yet to receive a response.

DRDO may have been a target

Recorded Future’s report noted that the choice of targets shows that RedFoxTrot “is likely interested in gathering intelligence on military technology and defense”. The Chinese hacker group had paid special attention to Indian targets during this 6-month period. “Activity over this period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC),” the report said.

Following a clash in the Galwan Valley in June 2020 between Indian and Chinese soldiers, relations have been tense between the two countries. RedFoxtrot is gaining access to targeted organizations, likely by sending phishing emails containing malware to employees in the targeted organization, said Atul Kabra, cofounder of a Bengaluru-based cybersecurity firm PolyLogyx, which was acquired by a Netherlands-based firm.

An unsuspecting victim clicking on an attached document in a phishing email could unknowingly download malware onto a system, giving hackers remote access of the computer. According to Kabra, the report suggests India’s Defence Research and Development Organisation (DRDO) could have been a target though the report does not explicitly say so.

However, the firm’s research did include a document referencing DRDO. According to the report, the document name — ‘DYSL-QT_Slide_DMC_090719.doc’ — “likely corresponds to the ‘Defence Research and Development Organisation (DRDO) Young Scientist Laboratory for Quantum Technologies’ (DYSL-QT) located in Hyderabad, India. Additionally, DMC is likely in reference to the DRDO Management Council (DMC), suggesting the group used this lure in activity targeting Indian defense research”.

Recorded Future research found that the document contained a variant of a malware called Poison Ivy. Poison Ivy malware is a ‘remote access tool’ (RAT) that gives the hacker remote access to a victim computer and is able to get “key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying”. Traffic relaying occurs when the infected computer is used to transmit data back to the hacker.