China preparing for a cyberattack with Unit 69010 against India

by | June 29, 2021 | Cybersecurity News

It’s reported that China continues to make new conspiracies about India. There are times when they try to infiltrate by entering the Indian border, sometimes by raising their voice against India in international forums, and now is spying against the country through cyberattack!

If wars were fought on the battlefield in the past, now things have changed, and today’s wars are fought in cyberspace. Ammunition is now malware, soldiers are hackers and cybersecurity specialists, and the battle is for data!

How did China allegedly start the attack?

According to media reports, this action from China started last year when both armies were face to face over the border dispute with India. There was a dispute between Indian and Chinese forces in Ladakh.

Recorded Future (a US Cyber Security firm) disclosed on Thursday cyber espionage activity linked to a suspected Chinese state-sponsored threat activity organization named RedFoxtrot, one of the groups of the PLA (People’s Liberation Army) Unit 69010.

China espionage

Unit 69010 uses multiple groups for cyber espionage and cyberattacks. They also have several subordinate offices primarily responsible for monitoring military activity along China’s western border.

RedFoxtrot has been active in India since 2014, basically targeting aerospace and defense, telecommunications across Central Asia, India and Pakistan, government, mining, and research firms.

This group, the RedFoxtrot, is reported to be maintaining a large operational infrastructure. It employs “both bespoke and publicly available malware families commonly used by Chinese cyberespionage groups, including Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare.”

Last six months, Recorded Future research detected the hacker group RedFoxtrot targeting “3 Indian aerospace and defense contractors; major telecommunications providers in Afghanistan, India, Kazakhstan, and Pakistan; and multiple government agencies across the region”, says the report.

In the same report, Recorded Future also noted that the choice of targets shows that RedFoxTrot “is likely interested in gathering intelligence on military technology and defense.”

The report shows how Beijing is using cyberspace to gather intelligence on military technology, national security issues, political developments, and foreign relations. For example, Cert-in had identified a China-linked group conducting an espionage campaign against the transport sector in March. However, earlier, a China-linked firm was reported to have collected big data from India for analysis.

How is RedFoxtrot gaining access to organizations?

Atul Kabra, the cofounder of a Bengaluru-based cybersecurity firm, says that phishing emails contain malware to employees in the targeted organization.

It was found, by Recorded Future, that the document contained a variant of a malware called Poison Ivy.

What is Poison Ivy, and how does it work?

  • It is a RAT (remote access tool) that gives the hacker remote access to a victim’s computer and can get “keylogging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying.” In addition, traffic relaying occurs when the infected computer is used to send data back to the hacker.
  • It accesses several websites from which it downloads and runs files. The downloads can be any file, although they are normally malware.
  • It avoids being detected by the user by using the following techniques:
    • It injects itself into running processes so that no unusual processes are seen.
    • It captures certain information entered or saved by the user, with the corresponding threat to privacy:
      • Keystrokes to obtain information for accessing online banking services, passwords, and other confidential information.
      • Screenshots of actions carried out.
  • It is written in the programming language Assembler x86-32 bit.
  • It is 7680 bytes in size.

Thoughts on the attack

Cristopher Ahlberg, CEO and co-founder from Recorded Future, stated the following:

“The recent activity of the People’s Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape. The persistent and pervasive monitoring and collection of intelligence is crucial in order to disrupt adversaries and inform an organization or government’s security posture.”

The study made by Recorded future deserves some attention from the policymakers dealing with cybersecurity. The study shows how the RedFoxtrot has attacked the Indian government organizations and the critical infrastructure. It is likely to have gained access to the ShadowPad backdoor. Urgent steps are needed to examine the modus operandi of the Chinese cyberattack groups under Unit 69010 and take immediate steps to plug our vulnerabilities!

by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.