Last June, the Chinese army attacked Indian soldiers in the Galwan Valley in Ladakh. Four months later, train traffic and the stock market in Mumbai were impacted by the blackout. Hospitals had to switch to emergency power generators.
A report by a US company confirms the theory that these two events may have been linked – as part of a Chinese cyber campaign against Mumbai’s power grid.
The report alleges that Chinese cyber warriors attacked the control systems that manage power supplies in Mumbai during the clash in Galwan.
Recorded Future, a Massachusetts-based company studying the use of the Internet by state actors, describes in its report the campaign by a China-affiliated threat activity group RedEcho targeting India’s energy sector. The activity was identified through a combination of extensive automated network traffic analysis and expert analysis.
The report’s executive summary reads: “Relations between India and China have deteriorated significantly following border collisions in May 2020 that resulted in the first deaths in 45 years between the world’s two most populous nations. As a result, Indian Foreign Minister Subrahmanyam Jaishankar announced on January 12, 2021 that trust between India and China was “deeply disrupted”. While diplomacy and economic factors have been effective in preventing a full blown war, particularly through bilateral border withdrawal, cyber operations continue to provide countries with a strong asymmetrical ability to espionage or prepositioning within networks for potentially disruptive reasons. ”
In its report, Recorded Future informed the relevant Indian government departments prior to publication.
Since the beginning of 2020, Recorded Future’s Insikt Group has seen a sharp increase in suspected targeted intrusion activities against Indian organizations of the state-sponsored Chinese group.
According to the report, from mid-2020 onwards, Recorded Future’s Midpoint collection saw a sharp increase in the usage of the infrastructure recorded as AXIOMATICASYMPTOTE, which includes ShadowPad Command and Control (C2) servers, to target a large portion of India’s energy sector.
Ten different Indian energy sector organizations, including four of the five regional cargo shipping centers (RLDC) responsible for running the electricity grid by balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other identified destinations are two Indian seaports.
However, India’s critical infrastructure targeting offers limited opportunities for industrial espionage, according to the report.
Recorded Future announced that in the run-up to the May 2020 border skirmishes, there was a noticeable increase in the deployment of the PlugX malware C2 infrastructure, much of which was used for intrusion activities against Indian organizations.
The report came as the armies of the two countries began to withdraw troops locked in an eight-month stalemate in eastern Ladakh.
The State Department did not respond to the report. Sources told ET the claims have yet to be verified. The government is trying to verify the accuracy of the information.
In the meantime, the Union’s Ministry of Energy has confirmed that a system for monitoring and analyzing cyber activities is already in place in all RLDCs and NLDCs operated by POSOCO. In addition, on November 19, 2020, CERT-In received an email about the threat posed by malware called Shadow Pad in some of POSOCO’s control centers. Accordingly, steps have been taken to counter these threats.
NCIIPC then informed them by email on February 12, 2021 of the Red Echo threat posed by malware called Shadow Pad. It states: “The Chinese state-sponsored threat actor group known as Red Echo targets the Regional Load Dispatch Centers (RLDCs) of the Indian energy sector as well as the State Load Dispatch Centers (SLDCs).”
All IPs and domains listed in the NCIIPC mail were blocked in the firewall in all control centers. According to the statement, a log of the firewall is monitored for every connection attempt to the listed IPs and domains.
The IPs mentioned in the Red Echo-related recommendation are the same as those reported in the Shadow Pad incidents reported by CERT-in back in November 2020.
MAHARASHTRA REQUESTS IT TO BE MALWARE ATTACK
The Maharashtra government has claimed that the power outage that led to a power outage in Mumbai and other neighboring cities on October 12th last year was the result of a “malware attack” from abroad.
The state’s interior minister, Anil Deshmukh, told media representatives on Monday that the cyber cell ministry was investigating the case at the request of energy minister Nitin Raut.
“He (Raut) asked us to examine the cyber cell. The SCADA system (Supervisory Control and Data Acquisition) was analyzed by our Cyber Cell team. They presented us with a report which indicated that it may have been an act of sabotage, ”Deshmukh said.
He refused to say which country was behind the blackout, but said the state cyber cell report indicated that the attacks on the power grid came from abroad. However, he alluded to the NY Times report and the Recorded Future report to say the attack came from China.
Deshmukh said he had turned the report over to Nitin Raut and Raut would make a decision on whether to conduct further investigations or how to move the case forward.
China denied its role in the cyber attack on India’s energy sector. The Chinese Foreign Ministry claimed it was a firm believer in cybersecurity. “We are resolutely against any kind of cyber attack and we fight them. It is difficult to trace the origin of the cyber attacks. You can’t make wanton guesses or smear a particular country without evidence. This is irresponsible and malicious. China is strongly against such behavior. ”