Chinese hackers targeted 12 Indian organizations; infiltrated power sector: Study
Chinese state-sponsored hacker groups have targeted over 12 Indian state-run organizations, primarily power utilities and load dispatch centers since mid-2020, a cyber intelligence company has said in its report. According to the study, the hackers attempted to inject malware that could cause widespread disruptions. It also mentioned last year's blackout in Mumbai, which may have been linked to malware. These allegations, however, remain unsubstantiated.
NTPC Limited among those targeted by 'Red Echo'
The study was conducted by the US-based company Recorded Future that monitors the use of the internet by state actors for cyber-campaigns. India's largest power conglomerate NTPC Limited, five primary regional load dispatch centers that aid in the management of the national power grid by balancing electricity supply and demand, and two ports were among the organizations targeted by the Chinese group Red Echo.
Red Echo uses 'advanced cyberintrusion techniques'
Reportedly, these organizations use a modular backdoor tool, ShadowPad, which has been used by Chinese groups to launch intrusion campaigns since 2017. Red Echo "has been seen to systematically utilize advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure," The New York Times quoted Recorded Future's COO Stuart Solomon as saying.
Intrusion started before India-China border row erupted last May
The study said the activity appeared to have started well before May 2020, when Indian and Chinese troops had faced off along the border in eastern Ladakh, triggering an ongoing row. There was a "steep rise" in the use of a particular software by Chinese groups to target "a large swathe of India's power sector" from mid-2020, the report added.
Chinese groups have links to intelligence agency, army: Study
The report further mentioned that some of these Chinese groups have links to the Ministry of State Security (MSS)—China's main intelligence and security agency—and the People's Liberation Army. Apart from the power sector, many government and defense organizations were also on the radar, it said.
'Noticeable increase in provisioning of PlugX malware before May 2020'
The report said, "In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations." "The PlugX activity included the targeting of multiple Indian government, public sector, and defense organizations from at least May 2020," it added.
Mumbai power outage allegedly caused by malware
The report mentioned the power outage in Mumbai on October 13, 2020, was allegedly caused by the insertion of malware at a state load dispatch center in Padgha. The power outage had rendered the stock exchange shut. Trains were canceled and offices across Mumbai, Thane, and Mumbai were also closed. At the time, Maharashtra Power Minister Nitin Raut had said that authorities suspected sabotage.
Link between Mumbai power outage, malware 'unsubstantiated'
The study said the alleged link between the Mumbai power outage and malware "remains unsubstantiated" but "additional evidence suggested the coordinated targeting of the Indian load dispatch centers." "At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated. However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Dispatch Centres," it added.
