The Inside Story on RedFoxtrot: How Network Traffic Analysis Revealed Ties to Chinese Military
June 17, 2021 • Ellen Wilson
Increasingly dynamic threat landscapes require security teams to maintain a real-time, comprehensive understanding of all potential threats that could impact their organization, vendors, or partners. Insikt Group, Recorded Future’s threat research division, recently released a breakthrough report on a suspected Chinese state-sponsored threat group, tracked as RedFoxtrot, targeting aerospace and defense, government, telecommunications, mining, and research organizations across multiple countries.
Recorded Future’s Insikt Group is comprised of subject-matter experts in technical threat intelligence and foreign adversary tactics, techniques, and procedures (TTPs), including analysts and security researchers with deep government and industry experience as well as native foreign-language skills. Insikt Group identified ties between RedFoxtrot and the Chinese military intelligence apparatus, the People’s Liberation Army (PLA) Unit 69010 located in Ürümqi, Xinjiang, providing new insights into the operational infrastructure and targets of RedFoxtrot.
So, how did the Insikt Group gain a rare glimpse into RedFoxtrot and PLA cyber espionage tactics and techniques?
In addition to other security tools and techniques, Insikt Group utilized the Recorded Future Intelligence Platform to profile RedFoxtrot. The Recorded Future Intelligence Platform is powered by a proprietary analysis engine, the Intelligence Graph, which collects, aggregates, analyzes, and connects data in any language from a vast number attacker, midpoint, and victim data sources to produce real-time, validated intelligence and provide the most complete picture of your organization’s threat landscape.
Insikt Group is able to quickly and confidently define attack behaviors and inform security strategy with intelligence from network traffic analysis, malware sandbox analysis, infrastructure analysis, and more. In particular, using Recorded Future Network Traffic Analysis (NTA), adversary infrastructure detection, and other common analytical techniques, Insikt Group tracked a large cluster of RedFoxtrot infrastructure and associated malware samples used in active intrusions over the past 6 months.
Going beyond traditional NTA, which is based on internal information, Recorded Future leverages an extensive array of external data and is able to identify and analyze activity between a network and external adversary control points. Using proprietary collection and analytics, Recorded Future observes traffic between victim networks and the attacker, identifying an attacker’s infrastructure from building, to staging, and the launching of an attack. With Recorded Future NTA, organizations can monitor, detect, and research adversaries like RedFoxtrot and its malicious infrastructure activity in real time, enabling them to shut down attacks before damage is done.
Recorded Future clients also have access to additional insights and tools to better understand and mitigate potential threats related to RedFoxtrot, including:
- Hunting Packages: Hunt and detect malware families used by RedFoxtrot in their network, endpoint, or malware security solution
- The Command and Control (C2) Security Control Feed: Alert on and block RedFoxtrot-related C2 servers to allow for detection and remediation of active intrusions.
- Real-time monitoring and alerting: Identify suspected targeted intrusion activity involving your organization, vendors, or partners with the Intelligence Goals Library
To learn more about RedFoxtrot, how to best protect your organization with the Recorded Future Intelligence Platform, register for one of the upcoming RedFoxtrot webinars in your region: Americas, EMEA, and APJ.