Study by Cybersecurity firm Recorded Future found that China-linked hacker Group RedEcho targeted at least “10 distinct power sector organisations” with malware known as ShadowPad last year resulting in power shutdowns and loss of power to Mumbai’s metro network on 13 October 2020. The findings which were published on the firms website was reported by New York Times on Monday.
The study report says that Chinese government-linked attackers possibly gained access to computer networks part of India’s power infrastructure. It also hints that based on technical clues, Indian power ministry officials were also on their radar.
The study shows that as the standoff continued in Ladakh, Chinese malware was flowing into the control systems that manage electric supply across India, along with a high-voltage transmission substation and a coal-fired power plant.
Recorded Future says the hackers activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. Data sources include the Recorded Future Platform, SecurityTrails, Spur, Farsight, and common open-source tools and techniques. The firm has since notified the appropriate Indian government departments of the suspected intrusions to support incident response and remediation investigations within the impacted organizations.
Key findings
- Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups.
- From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector.
- 10 distinct Indian power sector organizations, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other targets identified included 2 Indian seaports.
- Using a combination of proactive adversary infrastructure detections, domain analysis, and Recorded Future Network Traffic Analysis, we have determined that a subset of these AXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups, including APT41 and Tonto Team.
- RedEcho has strong infrastructure and victimology overlaps with Chinese groups APT41/Barium and Tonto Team, while ShadowPad is used by at least 5 distinct Chinese groups.
- The high concentration of IPs resolving to Indian critical infrastructure entities communicating over several months with a distinct subset of AXIOMATICASYMPTOTE servers used by RedEcho indicate a targeted campaign.
- The targeting of Indian critical infrastructure was to showcase pre-positioning of Indian network access to support Chinese strategic objectives, rather than economic espionage.
- Pre-positioning on energy assets may support several potential outcomes, including geo-strategic signaling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation.
- Hours after the disclosure, the Union power ministry said it had received inputs from Indian agencies — first in November and then again in February this year — about the threat of infection from ShadowPad, prompting remedial measures.
- The ministry said no data breach or data loss has been detected due to these incidents.
- The ministry’s statement suggested that the attacks were not behind the October 12, 2020, power outage in Mumbai that had lasted up to 12 hours in some parts of India’s financial capital, bringing the city’s local trains to a halt and forcing the airport to switch to back-up supply.
- Maharashtra energy minister Nitin Raut on Monday said that he had expressed the possibility that a ‘sabotage’ was behind last October’s power outage in Mumbai.