Chinese hackers targeted 7 Indian power hubs, govt says ops failed
The incident is the latest in a string of cyber espionage attributed to groups based in China, with past attacks targeting critical infrastructure such as power plants
Cyber attackers linked to the Chinese military likely broke into the networks of seven power grid hubs in north India, an American cybersecurity research group said on Thursday, with at least some of the targeting being confirmed by a minister who said the attempts were not successful.
The incident is the latest in a string of cyber espionage attributed to groups based in China, with past attacks targeting critical infrastructure such as power plants, and private organisations in sensitive sectors like defence and finance.
“Two attempts by Chinese hackers were made to target electricity distribution centres near Ladakh but were not successful... We’ve already strengthened our defence system to counter such cyber attacks,” RK Singh, Union minister for Power and new and renewable energy, said to news agency ANI.
Hours earlier, US based cyber threat intelligence company Recorded Future released a report saying it had found evidence that “at least seven Indian state load dispatch centres (SLDCs)” and an Indian subsidiary of a multinational logistics company were targeted by a China-linked group that it has codenamed TAG-38.
This is the third such attempt reported in a little over a year. In March, 2021, Recorded Future released findings of another China-linked cyber espionage campaign that targeted the Indian power grid, attributing the campaign to a group that it calls RedEcho. Later in June, Recorded Future identified RedFoxtrot, a second China-linked, as having targeted Indian telecom companies, government agencies and defence contractors.
Of these, the government confirmed the attacks that were linked to RedEcho at the time.
Following the disclosure last year, the Recorded Future report released on Thursday said, there “was a short lull” in the activities of the China-linked adversaries the company was tracking.
But, “since at least September 2021, we have observed TAG38 intrusions targeting the identified victim organisations” with activity that went on till at least March 2022.
The company said such “prolonged targeting of Indian power grid assets by Chinese state-linked groups” is unlikely to yield any significant economic or traditional intelligence-gathering opportunities. “We believe this targeting is instead likely intended to enable information gathering surrounding critical infrastructure systems or is pre-positioning for future activity,” it added.
Crucially, the report notes that there was no evidence yet that the attackers reached what is known as the industrial control system (ICS) environment. The ICS environment is typically an insulated network layer that houses the systems involved in critical functions – in the most recent case, this function would be electricity routing and load balancing.
The technical analysis into the new attempt found evidence that the attackers used a malware family called ShadowPad, which has been widely attributed to China-linked cyber operations. Evidence of its use was found in the past two India-focussed activities as well.
“We observed longstanding communication between the victim SLDC networks and ShadowPad C2 (command and control) servers, which is very likely indicative of ShadowPad infections within these networks,” a person from Recorded Future’s threat intelligence Insikt Group told HT over email.
“ShadowPad is a modular backdoor that allows an attacker an array of capabilities, including the ability to extract information about the victim machine, execute commands, transfer data, interact with the file system and registry, and deploy new modules to extend functionality (such as keylogging and screen recording),” this person added.
Recorded Future did not identify the exact SLDCs that were targeted but a map of the victim organisation’s in its report suggested these were in Uttarakhand, Himachal Pradesh, Rajasthan, Uttar Pradesh and Delhi.
The company tied the activity to suspected Chinese actors by finding that the victim networks were communicating with known ShadowPad command-and-control servers and through a unique security certificate that has “multiple links to wider Chinese-sponsored espionage activity”.
The person quoted above gave new insights into the espionage attempt, saying the attackers had used compromised internet-connected security cameras and surveillance video recorders located in South Korea and Taiwan to route their “command and control” of the intrusion into the Indian targets.
“Essentially, malware present on a victim network is configured to communicate with an external C2 server in order to enable an attacker to send commands and transfer data. In this case, these C2 servers were compromised third-party IP camera/DVR devices under the control of the attacker. This is likely an attempt to make the traffic look benign and also hinder attribution efforts,” the person said.
A Chinese foreign ministry official said that the government does not support such activity. “We have taken note of the relevant reports. We have repeatedly reiterated that China firmly opposes and combats any form of hacking in accordance with the law, not to mention that it will not encourage, support or condone hacking attacks,” spokesperson Zhao Lijian said, alleging the findings were meant to “sow discord” and “throw dirty water on China”.
The Indian Computer Emergency Response Team (Cert-In) did not respond to HT’s request for comments.