China targeted Indian power sector through malware
An American company detailed a campaign conducted by a China-linked threat activity group RedEcho targeting the Indian power sector through malware.
A recent report by a Massachusetts-based company, Recorded Future, studied the use of the Internet by state actors, details a campaign conducted by a China-linked threat activity group RedEcho targeting the Indian power sector through malware. Analysing large-scale network traffic from data sources that include the Recorded Future Platform, SecurityTrails, Spur, Farsight and common open-source tools and techniques, the study concluded that Chinese state actors under the cloak of deniability caused a grid failure in Mumbai on October 21, 2020. The outage caused stock market to cease operations, stopped trains from running, and interrupted people working from home during the Covid-19 lockdown. It took two hours for the power to be restored. Recorded Future said that it noticed increasing suspicious traffic pattern against Indian organisations by Chinese state-sponsored groups.
Ten distinct power sector organisations, including four Regional Load Dispatch Centres responsible for balancing electricity supply and demand, were targeted in a concerted campaign. Some seaports were also targeted. The report opined that targeting infrastructure had limited economic espionage value but creates a nuisance and operational impediment sending a message to India that the enemy knows its vulnerability. In the report’s opinion, “Pre-positioning on energy assets may support several potential outcomes, including geostrategic signalling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation.”
Massachusetts-based company RecordedFuture
Providing some evidence, the report said “RedEcho has strong infrastructure and victimology overlaps with Chinese groups APT41/Barium and Tonto Team, while ShadowPad is used by at least five distinct Chinese groups.” The pattern of the campaign where there was a “high concentration of IPs resolving to Indian critical infrastructure entities communicating over several months with a distinct subset of AXIOMATICASYMPTOTE servers used by RedEcho indicate a targeted campaign.” There was “little evidence of wider targeting in Recorded Future's network telemetry.” Interestingly, Recorded Future said in the lead-up to the May 2020 border skirmishes, it observed “a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting” “multiple governments, public sector and defence organisations.” China is not a unique user of PlugX, but it definitely is a favourite of “China-nexus groups.”
RedEcho cancelled its domains after it was exposed
Prior to the publication of its report, Recorded Future notified the Indian government of the suspected intrusions to support incident response and remediation investigations within the impacted organisations. The Indian government has not reacted or responded to the report. Predictably, Chinese Foreign Ministry spokesman Wang Wenbin rejected the criticism casting aspirations on the group terming it “irresponsible and ill-intentioned to make allegations without proof.”
However, Recorded Future also alleged that it observed heavily focussed targeting of Chinese military and government entities by “suspected Indian state-sponsored group Sidewinder.” The Indian government has not officially commented on this report except for the Union Power Ministry saying “There is no impact on any of the functionalities carried out by POSOCO (Power System Operation Corporation Limited) due to the referred threat. No data breach or data loss has been detected due to these incidents.” In classic handwaving of the bureaucracy, it said “Prompt actions are being taken by the CISOs at all these control centres under operation by POSOCO for any incident/advisory received from various agencies like CERT-in, NCIIPC, (National Critical Information Infrastructure Protection Centre i) CERT-Trans etc.”
Power System Operation Corporation Limited
“The report of Insikt also refers to the threat actors already informed by CERT-in & NCIIPC. All IPs and domains listed in NCIIPC mail have been blocked in the firewall at all control centres. Log of firewall is being monitored for any connection attempt towards the listed IPs and domains. Additionally, all systems in control centres were scanned and cleaned by antivirus.” While the reactions seem appropriate, it is also reactionary. It is not clear what more the Indian security agencies have done to block traffic from China.
However, Maharashtra Energy Minister Nitin Raut, who has a reputation of being a motormouth, confirmed that the October 2020 power outage was “caused by a cyberattack” and it was an act of “sabotage.” It is not known if Raut’s statement was to embarrass the Union government, as it is his won't, or because it was true.
Seen in the background of border clashes killing twenty Indian soldiers and scores of soldiers from China, this attempt is seen by some analysts as China’s way of embarrassing India and showing it that China can easily target Indian assets with impunity.
Cyberattack the next weapon the world needs to worry about