China’s cyber-attack Unit 69010 is linked to RedFoxtrot APT group

June 26, 2021
cyber espionage RedFoxtrot China Unit 69010 middle east.

A cybersecurity firm has linked several discovered cyber espionage campaigns to China’s cyber-attack Unit 96010. The movements recorded date back to 2014 and were aiming to gather military intelligence of other countries. The cyberespionage attackers are tracked as RedFoxtrot.


According to the reports, evidence reveals that the RedFoxtrot hacking group is currently working under the Chinese People’s Liberation Army’s Unit 69010. The unit is tracked to be located at Urumqi, Xinjiang province, where they run their cybercrime activities.


The group mainly targeted government, aerospace, military defense, mining, research and development, and telecommunication organizations based in the Middle East, specifically from Afghanistan, Pakistan, Kazakhstan, India, Kyrgyzstan, Uzbekistan, and Tajikistan.

Their activities since 2014 show that their attacks are focused on Indian targets, heightened during the time of the border tensions between the two nations, the People’s Republic of China and India.

There were activity overlaps with other hacking groups such as Temp. Trident and Nomad Panda. Additionally, the RedFoxtrot threat group uses custom malware as well as publicly accessible malicious scripts and codes.

The malware under their arsenal was used by other China-linked cyber espionage groups such as RoyalRoad, PlugX, Icefog, PCShare, Poison Ivy, and Shadowpad.


The security firm associated the activities of RedFoxtrot and the PLA Unit 69010 due to the lax OpSec (Operational Security) of one of the members of the hacking group behind the campaigns.

  • The careless OpSec setup uncovered the physical address of the PLA Unit 69010’s Headquarters located at 533 Wenquan East Road, Shuimogou District, Urumqi, Xinjiang Province.
  • The firm did not disclose the complete identity of the individual. However, substantial online data logs showed sufficient evidence indicates that the individual operates from Urumqi.
  • A report in 2020 suggests that RedFoxtrot, with other multiple PLA and Chinese-state, backed hacking group have access and used the ShadowPad backdoor.


People’s Liberation Army has prominent threat groups and is still very active within the Chinese cyber-espionage threat landscape. Intelligence reports related to PLA activity and the Chinese military tactics disclosed around the cybersecurity community provide valuable insights and reveals their working habits. Such information is used to improve cyber defence systems and strategies against these kinds of APT groups.


About the author

Leave a Reply