According to the study by Recorded Future, a US-based company that monitors the use of the internet by state actors for cyber-campaigns, NTPC Limited, the country’s largest power conglomerate, five primary regional load dispatch centers that aid in the management of the national power grid by balancing electricity supply and demand, and two ports were among the organizations attacked.
As per the Indian National Critical Information Infrastructure Protection Centre’s (NCIIPC) definition, all 12 organizations are critical infrastructure.
The activity appears to have started well before the May 2020 clashes between Indian and Chinese troops that triggered the border standoff along the Line of Actual Control in eastern Ladakh, the report said. It further stated, there was a “steep rise” in the use of a particular software by Chinese organizations to target “a large swathe of India’s power sector” from the middle of last year.
Some Chinese groups have links to the Ministry of State Security (MSS), or China’s leading intelligence and security agency, and the People’s Liberation Army (PLA). The report further alleged that numerous government and defense organizations were also on the radar apart from the power sector.
“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations. The PlugX activity included the targeting of multiple Indian governments, public sector, and defense organizations from at least May 2020,” the report said.
The border standoff in Eastern Ladakh between the Indian and Chinese armies erupted on May 5 last year following a violent clash in the Pangong Lake area. Both sides gradually enhanced their deployment by rushing in tens of thousands of soldiers and heavy weaponry. Earlier this month, the armies of the two countries concluded the withdrawal of troops and weapons from the north and south banks of Pangong Tso in the high-altitude region.
Although the report did not mention any disruptions caused by the insertion of malware, it talked about a massive power outage in Mumbai on October 13, 2020, allegedly caused by the insertion of malware state load dispatch center in Padgham. Maharashtra power minister Nitin Raut had said that authorities suspected sabotage was the cause of the outage.
The two-hour power outage caused the closure of the stock exchange, while trains were canceled and offices across Mumbai, Thane, and Mavi Mumbai were shut down.
However, the Recorded Future study investigators said that the alleged link between the outage and the discovery of the unknown malware in the system “remains unsubstantiated,” but “additional evidence suggested the coordinated targeting of the Indian load dispatch centers.”
Recorded Future said in its report, “At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated. However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Dispatch Centres.”
Red Echo, the Chinese group behind the intrusion, was described by Reported Future as having clear overlaps – in terms of both the technologies it hires and the victims it targets – with other organizations, including APT41/Barium and Tonto Team. They have been active in similar cyber-campaigns.
The 12 organizations that fell victim to the cyber attack by Red Echo included Power System Operation Corporation Limited, NTPC Limited, NTPC’s Kudgi power plant, Western Regional Load Dispatch Centre, Southern Regional Load Dispatch Centre, North Eastern Regional Load Dispatch Centre, Eastern Regional Load Dispatch Centre, Telangana State Load Dispatch Centre, Delhi State Load Dispatch Centre, the DTL Tikri Kalan (Mundka) sub-station of Delhi Transco Ltd, VO Chidambaranar Port, and Mumbai Port Trust.
According to the report, these companies use a modular backdoor tool, ShadowPad, which the China-linked groups have used to launch their intrusion campaigns since 2017. “We assess that the sharing of ShadowPad is prevalent across groups affiliated with both Chinese Ministry of State Security (MSS) and groups affiliated with the People’s Liberation Army (PLA), and is likely linked to the presence of a centralized ShadowPad developer or quartermaster responsible for maintaining and updating the tool,” the report stated.
Red Echo “has been seen to systematically utilize advanced cyber intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure,” The New York Times quoted Recorded Future’s chief operating officer Stuart Solomon as saying