China and China-linked cyber operations have been seen as a persistent threat in India.(MINT_PRINT) Exclusive
China and China-linked cyber operations have been seen as a persistent threat in India.(MINT_PRINT)

China unit targets Indian telcos, firms in cyber espionage

  • In March 2021, the Indian Computer Emergency Response Team (Cert-IN) said it found signs of China-linked cyber actors conducting an espionage campaign against the Indian transportation sector.
By Binayak Dasgupta, New Delhi
UPDATED ON JUN 18, 2021 07:42 AM IST

A suspected unit of Chinese cyber soldiers targeted Indian telecom companies, government agencies and several defence contractors, a cyber threats intelligence company said on Thursday, disclosing what it said was technical evidence of these operations and links to a specific People’s Liberation Army (PLA) unit.

The findings were published by the United States-headquartered Recorded Future, which earlier this year reported evidence of sustained Chinese cyber operations targeting India’s critical infrastructure in the power and ports sectors. The unit exposed in March was called RedEcho, while the new group has been identified as RedFoxtrot.

“Recorded Future’s Insikt Group identified the suspected Chinese state-sponsored group we track as RedFoxtrot targeting multiple Indian organisations throughout 2020 and 2021.

“Within India specifically, we identified the group successfully targeting two telecommunications organisations, three defense contractors, and several additional government and private sector organisations in the past 6 months,” said a person from Recorded Future’s Insikt Group, the division that tracks advanced cyber threats.

A person in India’s cybersecurity establishment did not respond to requests for a comment on the report.

“Notably, this activity took place at a time of heightened tensions between India and China,” the Insikt represenative added in a discussion over email with HT. The affected organisations have been notified.

In a separate blog post, Recorded Future said the findings were were based on analysis of network traffic, footprint of the malware used by the attackers, domain registration records and data transmitting from the possible targets.

While the campaign reported earlier this year appeared to be focussed on breaching critical infrastructure in India -- the targets purportedly included National Thermal Power Corporation (NTPC) plants -- the new campaign seems “more aligned with traditional PLA-linked activity in gathering military intelligence”.

“We believe RedFoxtrot conducts cyber espionage operations to gather intelligence on military and defense matters based on the consistent targeting of organisations within this field,” the person quoted above said, while explaining that targeting of telecommunications companies could include “strategic intelligence gathering through monitoring of downstream targets (telecommunications customers), bulk collection of communication data, as well as the ability to track and monitor individual targets”.

State-on-state cyber operations typically fall in two categories: sabotage and espionage, with the latter being more common – although both are equally hard to detect and attribute.

In March 2021, the Indian Computer Emergency Response Team (Cert-IN) said it found signs of China-linked cyber actors conducting an espionage campaign against the Indian transportation sector.

China and China-linked cyber operations have been seen as a persistent threat in India. “In relation to other ‘Big Four’ adversaries, China, and the PLA, is one of the world’s biggest cyber powers, both in terms of sophistication and the scale of operations. The recent US ODNI (Office of the Director of National Intelligence) annual threat assessment stated China is ‘a prolific and effective cyber-espionage threat, possesses substantial cyber-attack capabilities, and presents a growing influence threat’,” the Recorded Future representative said.

Recorded Future’s analysis found RedFoxtrot was linked to PLA unit 69010, and identified a location in Urumqi, Xinjiang, as the possible headquarters. “Due to lax operational security measures employed by a suspected RedFoxtrot operator, Insikt Group linked the threat group to the physical address of Unit 69010’s headquarters,” it said.

“RedFoxtrot has primarily targeted aerospace and defense, government, telecommunications, mining, and research organisations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan. These targets suggest the group is likely interested in gathering intelligence on military technology and defence,” the report said

Please sign in to continue reading

  • Get access to exclusive articles, newsletters, alerts and recommendations
  • Read, share and save articles of enduring value
SHARE THIS ARTICLE ON
Close
SHARE
Story Saved
OPEN APP