Researchers have identified links between a suspected Chinese regime-sponsored hacker group and a military unit in northwest China, which has been threatening cybersecurity in neighboring countries since 2014.
Unit 69010, located in Urumqi, capital of China’s Xinjiang region, also likely has multiple subordinates primarily assigned to observe military activities along China’s western border, researchers found.
It was the operational defects of a suspected RedFoxtrot operator that disclosed the connection between RedFoxtrot’s operational infrastructure and the physical address of the headquarters of the PLA Unit 69010.
Moreover, the unnamed operator was detected to be associated with the PLA’s former Communications Command Academy in Wuhan.
“RedFoxtrot has primarily targeted aerospace and defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan,” said the analysis.
The PLA-linked group is also thought to have likely employed malware sets commonly used by Chinese cyber espionage groups, including Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare, to hijack user systems.
During the border tension between China and India, the group was also found to have targeted Indian defense contractors, telecommunications providers, and government organizations through network intrusions, said the report.
RedFoxtrot activity overlaps with threat groups tracked by other security vendors as Temp.Trident and Nomad Panda.
President Joe Biden signed an executive order on May 12 seeking to prevent cyberattacks from both nation-state actors and cybercriminals, following a hack of computer systems linked to top U.S. fuel pipeline operator Colonial Pipeline.
Colonial temporarily shut down on May 7, which triggered fuel shortages and increased gasoline prices across multiple U.S. states.