China-linked group RedEcho may be targeting the Indian power sector, a cybersecurity firm Recorded Future reports.
Computer networks of at least 12 Indian state-run power utilities, seaports, and load dispatch centers have been targeted by Chinese state-sponsored groups since mid-2020 in an attempt to inject malware.
All 12 organizations constitute critical infrastructure, according to the Indian National Critical Information Infrastructure Protection Centre’s (NCIIPC) definition
Similarly, a massive power outage in Mumbai on October 13, 2020, was possibly caused by China-backed hackers by inserting malware at a Padgha state load dispatch center, researchers find.
Since early 2020, Recorded Future’s Insikt Group has been observing an increase in suspected targeted intrusion activity against Indian organizations from Chinese state-backed hacker groups. They have seen a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE – using ShadowPad command and control (C2) servers – to target India’s power sector.
“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations. The PlugX activity included the targeting of multiple Indian governments, public sector, and defense organizations from at least May 2020,” the researchers reported.
Researchers determined that some of these AXIOMATICASYMPTOTE servers share common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese hacker groups, among them – APT41 and Tonto Team.
Some are known to have links to China’s main intelligence and security agency – the Ministry of State Security (MSS) – and the People’s Liberation Army (PLA).
In the past, the modular backdoor ShadowPad has been used by the China-linked groups in intrusion campaigns since 2017. Researchers conclude it “is likely linked to the presence of a centralized ShadowPad developer or quartermaster responsible for maintaining and updating the tool.”
Despite some overlaps with previous groups, Recorded Future’s researchers do not believe there is enough evidence to firmly attribute this particular campaign to any particular hacker group.
However, the investigators said that in addition to the possible link between the outage and the discovery of the unspecified malware in the system “additional evidence suggested the coordinated targeting of the Indian load dispatch centers”.