Amidst border tension, Chinese hackers targeted India’s power through malware: US firm

Washington/Beijing, March 1

Amidst the tense border situation between India and China, a Chinese government-linked group of hackers targeted India’s critical power grid system through malware, a US company has said in its latest study, raising suspicion whether last year’s massive power outage in Mumbai was a result of the online intrusion.

Recorded Future, a Massachusetts-based company which studies the use of the internet by state actors, in its recent report details the campaign conducted by a China-linked threat activity group RedEcho targeting the Indian power sector.

The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis.

Data sources include the Recorded Future Platform, SecurityTrails, Spur, Farsight and common open-source tools and techniques, the report said.

In New Delhi, the Ministry of Power on Monday said there is no impact on operations of Power System Operation Corporation (POSOCO) due to any malware attack and that prompt actions are taken on advisories issued against such threats.

Responding on the findings of the study, the ministry said, “There is no impact on any of the functionalities carried out by POSOCO due to the referred threat. No data breach/ data loss has been detected due to these incidents.”

It further said, “Prompt actions are being taken by the CISOs (chief information security officers) at all these control centres under operation by POSOCO for any incident/advisory received from various agencies like CERT-in, NCIIPC, CERT-Trans etc.”

Read also: Cyber attack, sabotage behind 2020 Mumbai power outage: Raut

The CERT-in (Indian Computer Emergency Response Team) is the nodal agency to deal with cyber security threats like hacking and phishing.

However, the ministry did not mention about the Mumbai outage in its statement.

On October 12, a grid failure in Mumbai resulted in massive power outages, stopping trains on tracks, hampering those working from home amidst the COVID-19 pandemic and hitting the economic activity hard.

In its report, Recorded Future notified the appropriate Indian government departments prior to publication of the suspected intrusions to support incident response and remediation investigations within the impacted organisations.

Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organisations from the Chinese state-sponsored group.

The New York Times, in a report, said the discovery raises the question about whether the Mumbai outage was meant as a message from Beijing about what might happen if India pushed its border claims too vigorously.

In response to the US firm’s allegation, Chinese Foreign Ministry spokesman Wang Wenbin on Monday rejected the criticism about China’s involvement in the hacking of India’s power grid, saying it is “irresponsible and ill-intentioned” practice.

“As a staunch defender of cyber security, China firmly opposes and cracks down on all forms of cyber attacks. Speculation and fabrication have no role to play on the issue of cyber attacks, as it is very difficult to trace the origin of a cyber attack.

“It is highly irresponsible to accuse a particular party when there is no sufficient evidence around. China is firmly opposed to such irresponsible and ill-intentioned practice,” Wang said in Beijing.

According to the Recorded Future report, from mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector.

Ten distinct Indian power sector organisations, including four of the five Regional Load Despatch Centres responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure.

Other targets identified included two Indian seaports, it said, adding the targeting of Indian critical infrastructure offers limited economic espionage opportunities.

“However, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.

“Pre-positioning on energy assets may support several potential outcomes, including geostrategic signalling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation,” it said.

RedEcho has strong infrastructure and victimology overlaps with Chinese groups APT41/Barium and Tonto Team, while ShadowPad is used by at least five distinct Chinese groups, it said.

Recorded Future said in the lead-up to the May 2020 border skirmishes, it observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organisations.

“The PlugX activity included the targeting of multiple Indian government, public sector and defence organisations from at least May 2020,” it said.

While not unique to Chinese cyber espionage activity, PlugX has been heavily used by China-nexus groups for many years.

“Throughout the remainder of 2020, we identified a heavy focus on the targeting of Indian government and private sector organisations by multiple Chinese state-sponsored threat activity groups,” it said.

Recorder Future also alleged that it also observed the suspected Indian state-sponsored group Sidewinder target Chinese military and government entities in 2020, in activity overlapping with recent Trend Micro research.

The US company’s report came as the armies of the two countries began disengagement of troops locked in over eight-month-long standoff in eastern Ladakh. PTI

Join Whatsapp Channel of The Tribune for latest updates.