Four months after the bitter Galwan Valley clashes, Mumbai plunged into darkness following a massive outage. While normal life came to a virtual standstill as it were, hospitals struggled hard to ensure uninterrupted power supply through generators to take care of patients, many of whom were on life support.
The big question that is now doing rounds as to whether China orchestrated this power failure in India’s financial capital?
A recent study suggests that the two events may have been connected. And China, in a bid to send out a message to India that the entire country could be plunged into darkness if it pressed its territorial claims too hard, carried out a cybercampaign against India’s power grid.
The study reveals that while the border standoff continued in eastern Ladakh, Chinese malware kept flowing into critical control systems which manage electric supply across India, along with a high-voltage transmission substation and a coal-fired power plant.
This report, spearheaded by Recorded Future, a firm that studies the use of the internet by state actors, details a campaign conducted by a China-linked threat activity group, RedEcho, targeting the Indian power sector. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis.
Using a combination of proactive adversary infrastructure detections, domain analysis, and Recorded Future Network Traffic Analysis, Recorded Future’s threat research arm, Insikt Group, has determined that a subset of the servers used share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups.
“Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups. From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector. 10 distinct Indian power sector organizations, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other targets identified included 2 Indian seaports,” Recorded Future observes.
Stuart Solomon, Recorded Future’s chief operating officer, told The New York Times that the Chinese state-sponsored group, which the firm named Red Echo, “Has been seen to systematically utilize advanced cyber-intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”
In light of the revelation, experts now say whether Beijing sent out a message to India through the Mumbai power outage.
According to the New York Times, the investigators behind the Recorded Future study, said that “The alleged link between the outage and the discovery of the unspecified malware” in the system “remains unsubstantiated.” But investigators noted that “additional evidence suggested the coordinated targeting of the Indian load dispatch centers,” which balance the electrical demands across regions of the country.
Key Takeaways From The Report
- The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.
- Pre-positioning on energy assets may support several potential outcomes, including geo-strategic signaling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation.
- RedEcho has strong infrastructure and victimology overlaps with Chinese groups APT41/Barium and Tonto Team, while ShadowPad is used by at least 5 distinct Chinese groups.
- The high concentration of IPs resolving to Indian critical infrastructure entities communicating over several months with a distinct subset of AXIOMATICASYMPTOTE servers used by RedEcho indicate a targeted campaign, with little evidence of wider targeting in Recorded Future’s network telemetry.