Chinese hacker groups target at least dozen Indian organisations

Was a power outage that shut down Mumbai’s stock exchange and train services last October linked to the reported intrusion by Chinese state-sponsored groups into the computer networks of Indian power utilities and load dispatch centres?

That’s the question being asked in cyber security circles after Recorded Future, a US-based security consultancy reported that Chinese groups had intruded into the networks of at least a dozen Indian state-run organisations since mid-2020 in an attempt to insert malware that could cause widespread disruptions.

Among the organisations targeted were NTPC Limited, the country’s largest power conglomerate, five key regional load dispatch centres that help in the management of the national power grid by balancing electricity supply and demand, and the ports at Mumbai and Tuticorin, says the new study by Recorded Future, which tracks the use of the internet by state actors for cyber-campaigns.

All 12 organisations would qualify as critical infrastructure, according to the Indian National Critical Information Infrastructure Protection Centre’s (NCIIPC) definition.

The activity apparently began much before clashes between Indian and Chinese troops in May 2020, which triggered the border standoff in Ladakh sector of the Line of Actual Control (LAC), and there was a “steep rise” from the middle of last year in the use of a particular malware linked to Chinese state-sponsored groups to target “a large swathe of India’s power sector”, Recorded Future said.

The report further said the alleged intrusions by the Chinese groups, some with known links to the Ministry of State Security (MSS), or China’s main intelligence and security agency, and the People’s Liberation Army (PLA), were not limited to the power sector. There were apparent efforts to target numerous government and defence organisations, the report said.

“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations. The PlugX activity included the targeting of multiple Indian government, public sector, and defense organizations from at least May 2020,” the report said.

PlugX has been “heavily used by China-nexus groups for many years”, and throughout the rest of 2020, Recorded Future’s investigators “identified a heavy focus on the targeting of Indian government and private sector organizations by multiple Chinese state-sponsored threat activity groups”.

Although Recorded Future was unable to conclusively state whether the insertion of malware by the Chinese groups led to any disruptions, the report pointed to a massive power outage in Mumbai on October 12, 2020, that was allegedly caused by malware inserted at a state load dispatch centre in Padgha. Maharashtra power minister Nitin Raut had said at the time that authorities suspected sabotage was the cause of the outage.

The two-hour outage resulted in the closure of the stock exchange, while trains were cancelled and offices across Mumbai, Thane and Mavi Mumbai were shut down.

“At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated. However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load dispatch Centres,” Recorded Future said in its report.

A senior official of the Maharashtra energy department said the state’s cyber police unit would take appropriate action and suggest preventive measures. An investigation launched after the power outage in October was still underway.

Dinesh Waghmare, principal secretary of the state energy department, said, “We had asked Maharashtra cyber police to investigate the matter as there was suspicion of sabotage. However, the investigation is still on and they have not come to a conclusion as yet.”

“Preventive measures will also be taken,” Waghmare said. He was also in-charge of Maharashtra State Electricity Distribution Company Ltd (MSEDCL) when the outage occurred on October 12. A day after the grid failure brought many parts of the city to a complete halt, state energy minister Nitin Raut had also said the possibility of sabotage couldn’t be ruled out.

Raut was expected to speak on the issue during the first day of the Maharashtra assembly’s budget session.

Recorded Future identified the Chinese group involved in the intrusion activity as Red Echo and said it had strong overlaps – in terms of both the technology it uses and its victims – with other groups such as APT41/Barium and Tonto Team that have been involved in similar cyber-campaigns.

The 12 organisations targeted by Red Echo included Power System Operation Corporation Limited, NTPC Limited, NTPC’s Kudgi power plant, Western Regional Load Dispatch Centre, Southern Regional Load Dispatch Centre, North Eastern Regional Load Dispatch Centre, Eastern Regional Load Dispatch Centre, Telangana State Load Dispatch Centre, Delhi State Load Dispatch Centre, the DTL Tikri Kalan (Mundka) sub-station of Delhi Transco Ltd, VO Chidambaranar Port and Mumbai Port Trust.

All these groups use ShadowPad, a modular backdoor tool that has been utilised by China-backed groups in network intrusion campaigns since 2017.

“We assess that the sharing of ShadowPad is prevalent across groups affiliated with both Chinese Ministry of State Security (MSS) and groups affiliated with the People’s Liberation Army (PLA), and is likely linked to the presence of a centralized ShadowPad developer or quartermaster responsible for maintaining and updating the tool,” the report said.

Stuart Solomon, Recorded Future’s chief operating officer, told The New York Times that Red Echo “has been seen to systematically utilise advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure”.

While the activities of many Chinese-sponsored groups of hackers in the West have been linked to cyber and economic espionage, Recorded Future concluded Red Echo’s actions in India were aimed at potential access to networks and insertion of malware to “support Chinese strategic objectives”.

“Pre-positioning on energy assets may support several potential outcomes, including geostrategic signalling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation,” the report said.

Recorded Future reported its findings to India’s Computer Emergency Response Team (CERT-In), which acknowledged receipt of the information but didn’t say whether it had found the malware in the targeted organisations, The New York Times reported.