China-Backed Hackers RedFoxtrot Targeted Defence Research In India
![](/wp-content/uploads/2021/06/Untitled-design-min-81.png)
(This was originally posted in The Print by Regina Mihindukulasuriya)
New Delhi: A Chinese state-backed hacker group is targeting Indian defence research and other Indian organizations, according to the latest research from an American cybersecurity firm. In a report released on 16 June, cybersecurity firm Recorded Future, headquartered near Boston, said it found links between a โsuspectedโ Chinese state-sponsored threat activity group and the Peopleโs Liberation Armyโs Unit 69010, a Chinese military intelligence unit.
โThe unit (69010) also likely has multiple subordinate offices primarily responsible for monitoring military activity along Chinaโs western border,โ the report said. Recorded Future has nicknamed the hacker group โRedFoxtrotโ. The same cybersecurity firm had in March said another China-linked hacker group, nicknamed โRedEchoโ, was targeting Indiaโs power sector, including state-owned NTPC, Indiaโs largest energy conglomerate. RedFoxtrot has been active since at least 2014, according to Recorded Future. The hacker groupโs predominant targets are sectors like government, defence, and telecommunications across Central Asia, India, and Pakistan.
Within the past six months, Recorded Future research detected RedFoxtrot targeting โ3 Indian aerospace and defense contractors; major telecommunications providers in Afghanistan, India, Kazakhstan, and Pakistan; and multiple government agencies across the regionโ, the report said. The report, however, does not mention the names of the targeted organisations. ThePrint emailed Recorded Future for more details of the target, but is yet to receive a response.
DRDO may have been a target
Recorded Futureโs report noted that the choice of targets shows that RedFoxTrot โis likely interested in gathering intelligence on military technology and defenseโ. The Chinese hacker group had paid special attention to Indian targets during this 6-month period. โActivity over this period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the Peopleโs Republic of China (PRC),โ the report said.
Following a clash in the Galwan Valley in June 2020 between Indian and Chinese soldiers, relations have been tense between the two countries. RedFoxtrot is gaining access to targeted organizations, likely by sending phishing emails containing malware to employees in the targeted organization, said Atul Kabra, cofounder of a Bengaluru-based cybersecurity firm PolyLogyx, which was acquired by a Netherlands-based firm.
An unsuspecting victim clicking on an attached document in a phishing email could unknowingly download malware onto a system, giving hackers remote access of the computer. According to Kabra, the report suggests Indiaโs Defence Research and Development Organisation (DRDO) could have been a target though the report does not explicitly say so.
However, the firmโs research did include a document referencing DRDO. According to the report, the document name โ โDYSL-QT_Slide_DMC_090719.docโ โ โlikely corresponds to the โDefence Research and Development Organisation (DRDO) Young Scientist Laboratory for Quantum Technologiesโ (DYSL-QT) located in Hyderabad, India. Additionally, DMC is likely in reference to the DRDO Management Council (DMC), suggesting the group used this lure in activity targeting Indian defense researchโ.
Recorded Future research found that the document contained a variant of a malware called Poison Ivy. Poison Ivy malware is a โremote access toolโ (RAT) that gives the hacker remote access to a victim computer and is able to get โkey logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relayingโ. Traffic relaying occurs when the infected computer is used to transmit data back to the hacker.