Computer networks of at least 12 Indian state-run organisations, primarily power utilities and load dispatch centres, have been targeted by Chinese state-sponsored groups since mid-2020 in an attempt to inject malware that could cause widespread disruptions, a new study has revealed.
According to the study by Recorded Future, a US-based company that monitors the use of the internet by state actors for cyber-campaigns, NTPC Limited, the country’s largest power conglomerate, five primary regional load dispatch centres that aid in the management of the national power grid by balancing electricity supply and demand, and two ports were among the organisations attacked.
As per the Indian National Critical Information Infrastructure Protection Centre’s (NCIIPC) definition, all 12 organisations are critical infrastructure.
The activity appears to have started well before the May 2020 clashes between Indian and Chinese troops that triggered the border standoff along the Line of Actual Control in eastern Ladakh, the report said. It further stated, there was a “steep rise” in the use of a particular software by Chinese organisations to target “a large swathe of India’s power sector” from the middle of last year.
Some of the Chinese groups are known to have links to the Ministry of State Security (MSS), or China’s main intelligence and security agency, and the People’s Liberation Army (PLA). The report further alleged that apart from the power sector, numerous government and defence organisations were also on the radar.
“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations. The PlugX activity included the targeting of multiple Indian government, public sector, and defense organizations from at least May 2020,” the report said.
The border standoff in Eastern Ladakh between the Indian and Chinese armies erupted on May 5 last year following a violent clash in the Pangong Lake area and both sides gradually enhanced their deployment by rushing in tens of thousands of soldiers as well as heavy weaponry. Earlier this month, the armies of the two countries concluded the withdrawal of troops and weapons from the north and south banks of Pangong Tso in the high-altitude region.
Although the report did not mention any disruptions caused by the insertion of malware, it talked about a massive power outage in Mumbai on October 13, 2020 that was allegedly caused by the insertion of malware at a state load dispatch centre in Padgha. Maharashtra power minister Nitin Raut had said at the time that authorities suspected sabotage was the cause of the outage.
The two-hour power outage caused the closure of the stock exchange, while trains were cancelled and offices across Mumbai, Thane and Mavi Mumbai were shut down.
However, the investigators of the Recorded Future study said that the alleged link between the outage and the discovery of the unspecified malware in the system “remains unsubstantiated” but “additional evidence suggested the coordinated targeting of the Indian load dispatch centers”.
Recorded Future said in its report, “At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated. However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Dispatch Centres.”
Red Echo, the Chinese group behind the intrusion, was described by Reported Future as having clear overlaps – in terms of both the technologies it hires and the victims it targets – with other organisations, including APT41/Barium and Tonto Team, who have been active in similar cyber-campaigns.
The 12 organisations that fell victim to the cyber attack by Red Echo included Power System Operation Corporation Limited, NTPC Limited, NTPC’s Kudgi power plant, Western Regional Load Dispatch Centre, Southern Regional Load Dispatch Centre, North Eastern Regional Load Dispatch Centre, Eastern Regional Load Dispatch Centre, Telangana State Load Dispatch Centre, Delhi State Load Dispatch Centre, the DTL Tikri Kalan (Mundka) sub-station of Delhi Transco Ltd, VO Chidambaranar Port and Mumbai Port Trust.
According to the report, these companies use a modular backdoor tool, ShadowPad, which has been used by the China-linked groups to launch their intrusion campaigns since 2017. “We assess that the sharing of ShadowPad is prevalent across groups affiliated with both Chinese Ministry of State Security (MSS) and groups affiliated with the People’s Liberation Army (PLA), and is likely linked to the presence of a centralized ShadowPad developer or quartermaster responsible for maintaining and updating the tool,” the report stated.
Red Echo “has been seen to systematically utilize advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure,” The New York Times quoted Recorded Future’s chief operating officer Stuart Solomon as saying.