New Delhi: A Chinese state-backed hacker group is targeting Indian defence research and other Indian organisations, according to the latest research from an American cybersecurity firm.
In a report released on 16 June, cybersecurity firm Recorded Future, headquartered near Boston, said it found links between a “suspected” Chinese state-sponsored threat activity group and the People’s Liberation Army’s Unit 69010, a Chinese military intelligence unit.
“The unit (69010) also likely has multiple subordinate offices primarily responsible for monitoring military activity along China’s western border,” the report said.
Recorded Future has nicknamed the hacker group ‘RedFoxtrot’.
The same cybersecurity firm had in March said another China-linked hacker group, nicknamed ‘RedEcho’, was targeting India’s power sector, including state-owned NTPC, India’s largest energy conglomerate.
RedFoxtrot has been active since at least 2014, according to Recorded Future. The hacker group’s predominant targets are sectors like government, defence, and telecommunications across Central Asia, India, and Pakistan.
Within the past six months, Recorded Future research detected RedFoxtrot targeting “3 Indian aerospace and defense contractors; major telecommunications providers in Afghanistan, India, Kazakhstan, and Pakistan; and multiple government agencies across the region”, the report said.
The report, however, does not mention the names of the targeted organisations.
In an email response to ThePrint about the targeted organisations, Recorded Future said: “We are unable to provide a list of all the targeted organizations, however a couple of Indian defense contractors were Walchandnagar Industries — a Mumbai-based Heavy Engineering Company engaged in India’s Nuclear and Space programmes, and Alpha Design Technologies (ADTL) which is licensed to develop, manufacture, and supply defense electronics, avionics, simulation, UAVs, AFV equipment and systems.”
“A targeted Indian telecommunications entity was Bharat Sanchar Nigam Limited (BSNL) — an Indian Government-owned telecommunications service,” they added.
They also said that it observed that Afghanistan’s Ministry of Interior and Ministry of Defense were targeted in the same RedFoxtrot campaign, as were the Ministry of Higher and Secondary-Specialized Education and the Center for Electromagnetic Compatibility in Uzbekistan. “Pakistan’s National Telecom Corporation and Kazakhstan’s ASTEL were further examples of telecommunications entities being targeted by RedFoxtrot,” the email statement said.
DRDO may have been a target
Recorded Future’s report noted that the choice of targets shows that RedFoxTrot “is likely interested in gathering intelligence on military technology and defense”.
The Chinese hacker group had paid special attention to Indian targets during this 6-month period. “Activity over this period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC),” the report said.
Following a clash in the Galwan Valley in June 2020 between Indian and Chinese soldiers, relations have been tense between the two countries.
RedFoxtrot is gaining access to targeted organisations, likely by sending phishing emails containing malware to employees in the targeted organisation, said Atul Kabra, cofounder of a Bengaluru-based cybersecurity firm PolyLogyx, which was acquired by a Netherlands-based firm.
An unsuspecting victim clicking on an attached document in a phishing email could unknowingly download malware on to a system, giving hackers remote access of the computer.
According to Kabra, the report suggests India’s Defence Research and Development Organisation (DRDO) could have been a target though the report does not explicitly say so.
Recorded Future, though, told ThePrint that it did not see evidence of DRDO “being compromised” in this campaign.
“This doesn’t necessarily mean DRDO was targeted, and we did not see evidence of DRDO being compromised in this campaign, but it does mean DRDO was used as a lure to likely target related defense sector organizations,” the cybersecurity firm said in the email response.
However, the firm’s research did include a document referencing DRDO.
According to the report, the document name — ‘DYSL-QT_Slide_DMC_090719.doc’ — “likely corresponds to the ‘Defence Research and Development Organisation (DRDO) Young Scientist Laboratory for Quantum Technologies’ (DYSL-QT) located in Hyderabad, India. Additionally, DMC is likely in reference to the DRDO Management Council (DMC), suggesting the group used this lure in activity targeting Indian defense research”.
Recorded Future research found that the document contained a variant of a malware called Poison Ivy.
Poison Ivy malware is a ‘remote access tool’ (RAT) that gives the hacker remote access to a victim computer and is able to get “key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying”.
Traffic relaying occurs when the infected computer is used to transmit data back to the hacker.
This report has been updated to include email responses from Recorded Future, the cybersecurity firm that found evidence of hacking activity targeting Indian establishments.
(Edited by Manasa Mohan)