New Delhi/Mumbai: India continues to be a major target of Chinese cyber espionage activity, said a recently released report by cyber intelligence firm Recorded Future, noting that the Chinese state-sponsored threat activity groups are targeting Indian power grid assets.
According to the report, in the recent months, network intrusions targeted at least seven Indian state load despatch centres (SLDCs), including one in proximity to the disputed India-China border in Ladakh.
“Notably, this targeting has been geographically concentrated, with the identified SLDCs located in north India, in proximity to the disputed India-China border in Ladakh. One of these SLDCs was also targeted in previous RedEcho activity,” it said.
According to the report, this latest set of intrusions is composed of an almost entirely different set of victim organizations. Earlier in the day, Union Minister for Power RK Singh acknowledged the alleged attacks on India’s power grid system but stated that they were not successful.
“In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group,” the report noted.
The Chinese state-sponsored groups have likely compromised and co-opted internet-facing DVR/IP camera devices for command and control of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy (FRP).
In February 2021, Recorded Future’s Insikt Group reported on intrusion activity targeting operational assets within India’s power grid that it attributed to a likely Chinese state-sponsored threat activity group we track as RedEcho.
“Following a short lull after the publication of our RedEcho reporting, we have detected ongoing targeting of Indian power grid organizations by China-linked adversaries, frequently using the privately shared modular backdoor ShadowPad,” it observed.
The firm noted that ShadowPad continues to be employed by an ever–increasing number of People’s Liberation Army (PLA) and Ministry of State Security (MSS)-linked groups, with its origins linked to known MSS contractors first using the tool in their own operations and later likely acting as a digital quartermaster.
“Given the continued targeting of state and RLDCs in India over the past 18 months, first from RedEcho and now in this latest TAG-38 activity, this targeting is likely a long-term strategic priority for select Chinese state-sponsored threat actors active within India,” it observed.
The firm stated that although tensions reduced, aided by partial troop disengagement, in February 2021 following prolonged border stand-offs in the Ladakh region, there has been limited progress between the states regarding respective territorial claims.
“The prolonged targeting of Indian power grid assets by Chinese state-linked groups offers limited economic espionage or traditional intelligence-gathering opportunities. We believe this targeting is instead likely intended to enable information gathering surrounding critical infrastructure systems or is pre-positioning for future activity,” it added.
Recorded Future observed that the objective for intrusions may include gaining an increased understanding into these complex systems in order to facilitate capability development for future use or gaining sufficient access across the system in preparation for future contingency operations.