India’s power grid targeted by Chinese hackers – Overview of the malware attack

People living in Mumbai, the financial capital of India did experience a power surge which affected almost the entirety of the city. In addition to the existing border tensions, a cybersecurity research company (US based firm) has reported that state sponsored Chinese hackers have attempted to take down the national power grid. The China linked group ‘RedEcho’ is the group that has been reported to initiate this attack.

The relations between India and China have deteriorated significantly since the lockdown last year amidst the global pandemic, originating from Wuhan. While diplomacy and financial elements have been powerful in forestalling an all-out war, notably as of late with the reciprocal withdrawal at the border, cyber activities keep continuing with a strong awry ability to lead cyber espionage or pre-position within networks for potentially disruptive causes. The research firm has determined that a subset of the servers used, share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups.

Sources: Reference

The October 12th 2020 network failure in Mumbai brought about huge blackouts, halting trains on tracks, hampering those telecommuting in the midst of the COVID-19 pandemic and hitting the faltering financial movement hard. It required two hours for the power supply to continue for fundamental administrations, provoking CM Uddhav Thackeray to arrange an enquiry into the episode. In November 2020, media reports proposed that the power disruption in Mumbai was the aftereffect of ‘treachery’ by unfamiliar sources. The public authority’s enquiry into the blackout is relied upon to be finished soon. [Sources]

Since mid 2020, Recorded Future’s Insikt Group noticed a huge expansion in suspected target focused on interruption action against Indian organizations from Chinese state-supported gatherings. From mid-2020 onwards, Recorded Future’s collection has seen a surge in the use of infrastructure coined as AXIOMATICASYMPTOTE, which includes ShadowPad order and control (C2) workers, to target on an enormous wrap of India’s force area. 10 particular Indian power associations, including 4 of the 5 Regional Load Despatch Centers (RLDC) which is answerable for activity of the power grid through adjusting power supply and demand, have been notable as targets in a coordinated mission against India’s critical infrastructure. Furthermore, other targets included 2 Indian seaports.

Based on the finding of AXIOMATICASYMPTOTE  Using a combination of proactive adversary infrastructure detections, domain analysis, and Recorded Future Network Traffic Analysis, we have determined that a subset of these AXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups, including APT41 and Tonto Team. Despite some overlaps with previous groups, Insikt Group does not currently believe there is enough evidence to firmly attribute the activity in this particular campaign to an existing public group and therefore continue to track it as a closely related but distinct activity group, RedEcho. [Sources]

Key findings have been presented in the table below:

The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.
Pre-positioning on energy assets may support several potential outcomes, including geo-strategic signaling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation.
RedEcho has strong infrastructure and victimology overlaps with Chinese groups APT41/Barium and Tonto Team, while ShadowPad is used by at least 5 distinct Chinese groups
The high concentration of IPs resolving to Indian critical infrastructure entities communicating over several months with a distinct subset of AXIOMATICASYMPTOTE servers used by RedEcho indicate a targeted campaign, with little evidence of wider targeting in Recorded Future’s network telemetry.  
Sources: References

In the weeks leading to the clashes in May, a state-sponsored group called Sidewinder — which operates in support of Indian political interests — is said to have singled out Chinese military and government entities in a spear-phishing attack using lures related to COVID-19 or the territorial disputes between Nepal, Pakistan, India, and China [Sources]. The modus operandi aside, the finding is yet another reminder of why critical infrastructure continues to be a lucrative target for an adversary looking to cut off access to essential services used by millions of people. These types of attacks pretty much stands as a gateway for cyber warfare.

Article by Kaushik Sundararajan

I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of certain ideas from a different perspective.

Published by The Art of Cyber-Space

I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of certain ideas from a different perspective.

One thought on “India’s power grid targeted by Chinese hackers – Overview of the malware attack

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: