Chinese hacker groups target at least dozen Indian organisations
Was a power outage that shut down Mumbai’s stock exchange and train services last October linked to the reported intrusion by Chinese state-sponsored groups into the computer networks of Indian power utilities and load dispatch centres?
That’s the question being asked in cyber security circles
after Recorded Future, a US-based security consultancy reported that Chinese
groups had intruded into the networks of at least a dozen Indian state-run
organisations since mid-2020 in an attempt to insert malware that could cause
widespread disruptions.
Among the organisations targeted were NTPC Limited, the
country’s largest power conglomerate, five key regional load dispatch centres
that help in the management of the national power grid by balancing electricity
supply and demand, and the ports at Mumbai and Tuticorin, says the new study by
Recorded Future, which tracks the use of the internet by state actors for
cyber-campaigns.
All 12 organisations would qualify as critical
infrastructure, according to the Indian National Critical Information
Infrastructure Protection Centre’s (NCIIPC) definition.
The activity apparently began much before clashes between
Indian and Chinese troops in May 2020, which triggered the border standoff in
Ladakh sector of the Line of Actual Control (LAC), and there was a “steep rise”
from the middle of last year in the use of a particular malware linked to
Chinese state-sponsored groups to target “a large swathe of India’s power
sector”, Recorded Future said.
The report further said the alleged intrusions by the
Chinese groups, some with known links to the Ministry of State Security (MSS),
or China’s main intelligence and security agency, and the People’s Liberation
Army (PLA), were not limited to the power sector. There were apparent efforts
to target numerous government and defence organisations, the report said.
“In the lead-up to the May 2020 skirmishes, we observed a
noticeable increase in the provisioning of PlugX malware C2 infrastructure,
much of which was subsequently used in intrusion activity targeting Indian
organizations. The PlugX activity included the targeting of multiple Indian
government, public sector, and defense organizations from at least May 2020,” the
report said.
PlugX has been “heavily used by China-nexus groups for many
years”, and throughout the rest of 2020, Recorded Future’s investigators
“identified a heavy focus on the targeting of Indian government and private
sector organizations by multiple Chinese state-sponsored threat activity
groups”.
Although Recorded Future was unable to conclusively state
whether the insertion of malware by the Chinese groups led to any disruptions,
the report pointed to a massive power outage in Mumbai on October 12, 2020,
that was allegedly caused by malware inserted at a state load dispatch centre
in Padgha. Maharashtra power minister Nitin Raut had said at the time that
authorities suspected sabotage was the cause of the outage.
The two-hour outage resulted in the closure of the stock
exchange, while trains were cancelled and offices across Mumbai, Thane and Mavi
Mumbai were shut down.
“At this time, the alleged link between the outage and the
discovery of the unspecified malware variant remains unsubstantiated. However,
this disclosure provides additional evidence suggesting the coordinated
targeting of Indian Load dispatch Centres,” Recorded Future said in its report.
A senior official of the Maharashtra energy department said
the state’s cyber police unit would take appropriate action and suggest
preventive measures. An investigation launched after the power outage in
October was still underway.
Dinesh Waghmare, principal secretary of the state energy
department, said, “We had asked Maharashtra cyber police to investigate the
matter as there was suspicion of sabotage. However, the investigation is still
on and they have not come to a conclusion as yet.”
“Preventive measures will also be taken,” Waghmare said. He
was also in-charge of Maharashtra State Electricity Distribution Company Ltd
(MSEDCL) when the outage occurred on October 12. A day after the grid failure
brought many parts of the city to a complete halt, state energy minister Nitin
Raut had also said the possibility of sabotage couldn’t be ruled out.
Raut was expected to speak on the issue during the first day
of the Maharashtra assembly’s budget session.
Recorded Future identified the Chinese group involved in the
intrusion activity as Red Echo and said it had strong overlaps – in terms of
both the technology it uses and its victims – with other groups such as
APT41/Barium and Tonto Team that have been involved in similar cyber-campaigns.
The 12 organisations targeted by Red Echo included Power
System Operation Corporation Limited, NTPC Limited, NTPC’s Kudgi power plant,
Western Regional Load Dispatch Centre, Southern Regional Load Dispatch Centre,
North Eastern Regional Load Dispatch Centre, Eastern Regional Load Dispatch
Centre, Telangana State Load Dispatch Centre, Delhi State Load Dispatch Centre,
the DTL Tikri Kalan (Mundka) sub-station of Delhi Transco Ltd, VO Chidambaranar
Port and Mumbai Port Trust.
All these groups use ShadowPad, a modular backdoor tool that
has been utilised by China-backed groups in network intrusion campaigns since
2017.
“We assess that the sharing of ShadowPad is prevalent across
groups affiliated with both Chinese Ministry of State Security (MSS) and groups
affiliated with the People’s Liberation Army (PLA), and is likely linked to the
presence of a centralized ShadowPad developer or quartermaster responsible for
maintaining and updating the tool,” the report said.
Stuart Solomon, Recorded Future’s chief operating officer,
told The New York Times that Red Echo “has been seen to systematically utilise
advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen
critical nodes across the Indian power generation and transmission
infrastructure”.
While the activities of many Chinese-sponsored groups of
hackers in the West have been linked to cyber and economic espionage, Recorded
Future concluded Red Echo’s actions in India were aimed at potential access to
networks and insertion of malware to “support Chinese strategic objectives”.
“Pre-positioning on energy assets may support several
potential outcomes, including geostrategic signalling during heightened
bilateral tensions, supporting influence operations, or as a precursor to
kinetic escalation,” the report said.
Recorded Future reported its findings to India’s Computer
Emergency Response Team (CERT-In), which acknowledged receipt of the
information but didn’t say whether it had found the malware in the targeted
organisations, The New York Times reported.
Comments
Post a Comment