|China and China-linked cyber operations have been seen as a persistent threat in India.|
A suspected unit of Chinese cyber soldiers targeted Indian telecom companies, government agencies and several defence contractors, a cyber threats intelligence company said on Thursday, disclosing what it said was technical evidence of these operations and links to a specific People’s Liberation Army (PLA) unit.
The findings were published by the United States-headquartered Recorded Future, which earlier this year reported evidence of sustained Chinese cyber operations targeting India’s critical infrastructure in the power and ports sectors. The unit exposed in March was called RedEcho, while the new group has been identified as RedFoxtrot.
“Recorded Future’s Insikt Group identified the suspected Chinese state-sponsored group we track as RedFoxtrot targeting multiple Indian organisations throughout 2020 and 2021.
“Within India specifically, we identified the group successfully targeting two telecommunications organisations, three defence contractors, and several additional governments and private sector organisations in the past 6 months,” said a person from Recorded Future’s Insikt Group, the division that tracks advanced cyber threats.
A person in India’s cybersecurity establishment did not respond to requests for a comment on the report.
“Notably, this activity took place at a time of heightened tensions between India and China,” the Insikt representative added in a discussion over email with HT. The affected organisations have been notified.
In a separate blog post, Recorded Future said the findings were were based on analysis of network traffic, the footprint of the malware used by the attackers, domain registration records and data transmitting from the possible targets.
While the campaign reported earlier this year appeared to be focussed on breaching critical infrastructure in India -- the targets purportedly included National Thermal Power Corporation (NTPC) plants -- the new campaign seems “more aligned with traditional PLA-linked activity in gathering military intelligence”.
“We believe RedFoxtrot conducts cyber espionage operations to gather intelligence on military and defence matters based on the consistent targeting of organisations within this field,” the person quoted above said while explaining that targeting of telecommunications companies could include “strategic intelligence gathering through monitoring of downstream targets (telecommunications customers), bulk collection of communication data, as well as the ability to track and monitor individual targets”.
The state-on-state cyber operations typically fall in two categories: sabotage and espionage, with the latter being more common – although both are equally hard to detect and attribute.
In March 2021, the Indian Computer Emergency Response Team (Cert-IN) said it found signs of China-linked cyber actors conducting an espionage campaign against the Indian transportation sector.
China and China-linked cyber operations have been seen as a persistent threat in India. “In relation to other ‘Big Four’ adversaries, China, and the PLA, is one of the world’s biggest cyber powers, both in terms of sophistication and the scale of operations. The recent US ODNI (Office of the Director of National Intelligence) annual threat assessment stated China is ‘a prolific and effective cyber-espionage threat, possesses substantial cyber-attack capabilities, and presents a growing influence threat’,” the Recorded Future representative said.