Attacks and Vulnerabilities
Industrial Cyber Attacks
News
Reports
Risk & Compliance
Threat Landscape
Utilities: Energy & Power, Water, Waste
Vulnerabilities

Recorded Future reports continued targeting of Indian power grid assets by Chinese state-sponsored activity group

April 08, 2022
Recorded Future reports continued targeting of Indian power grid assets by Chinese state-sponsored activity group

Threat intelligence firm Recorded Future has observed in recent months likely network intrusions targeting at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states.

“Notably, this targeting has been geographically concentrated, with the identified SLDCs located in North India, in proximity to the disputed India-China border in Ladakh. One of these SLDCs was also targeted in previous RedEcho activity,” Recorded Future wrote in its report this week. “This latest set of intrusions, however, is composed of an almost entirely different set of victim organizations,” it added. 

In addition to the targeting of power grid assets, “we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group,” according to the report. “To achieve this, the group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open-source tool FastReverseProxy (FRP),” it added.

Last February, Recorded Future’s Insikt Group reported intrusion activity targeting operational assets within India’s power grid attributed to a likely Chinese state-sponsored threat activity group, tracked as RedEcho. Additionally, India continues to be a major target of Chinese cyber espionage activity, as detailed in historical Recorded Future reporting on RedDelta, RedEcho, RedFoxtrot, TAG-28, and additional client-facing research. 

“Following a short lull after the publication of our RedEcho reporting, we have detected ongoing targeting of Indian power grid organizations by China-linked adversaries, frequently using the privately shared modular backdoor ShadowPad,” Recorded Future wrote in the report. “ShadowPad continues to be employed by an ever-increasing number of People’s Liberation Army (PLA) and Ministry of State Security (MSS)-linked groups, with its origins linked to known MSS contractors first using the tool in their own operations and later likely acting as a digital quartermaster,” it added.

In addition to the targeting of power grid assets, “we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group,” according to the report.

Responding to the cyber intrusions, the Indian government confirmed that Chinese hackers made two attempts to disrupt electricity distribution centres near Ladakh. However, the attempts were not successful. 

“Two attempts by Chinese hackers were made to target electricity distribution centres near Ladakh but were not successful. We’ve already strengthened our defence system to counter such cyber attacks,” Power Minister R.K. Singh told news agency ANI on April 7.

The Recorded Future report noted that “while this latest activity displays targeting and capability consistencies with previously identified RedEcho activity, there are also some notable distinctions. At this time, we have not identified technical evidence allowing us to attribute it to RedEcho, and we are currently clustering this latest activity under the temporary group name Threat Activity Group 38 (TAG-38),” it added. Since at least September 2021, Recorded Future has observed TAG-38 intrusions targeting the identified victim organizations. 

Recorded Future said that the identified victimology within this latest campaign is confined to Indian targets, specifically the seven SLDCs, the Indian subsidiary of a multinational logistics company, and a national emergency response system. The identified SLDCs were all located in Northern India, near the disputed China-India border in Ladakh. SLDCs are responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states, similar to the Regional Load Despatch Centres (RLDCs) previously targeted in reported RedEcho activity,” it added. 

The report added that this makes these organizations critical for maintaining grid frequency and stability, with SLDCs maintaining access to supervisory control and data acquisition (SCADA) systems across respective states for grid control and electricity dispatch. “At this time, we have not observed evidence of access to industrial control system (ICS) environments in this activity,” the report added.

Recorded Future continues to track Chinese state-sponsored activity groups targeting various sectors globally. A large majority of this conforms to longstanding cyberespionage efforts, such as targeting foreign governments, surveillance of dissident and minority groups, and economic espionage. “However, the coordinated effort to target Indian power grid assets in recent years is notably distinct from our perspective and, given the continued heightened tension and border disputes between the two countries, we believe is a cause for concern,” it added. 

Based on the complexity present across national critical infrastructure systems, “this often necessitates lengthy reconnaissance operations to better understand the inner workings of these systems, both in a technological and a physical sense, Recorded Future said in the report. This is reflected in publicly documented targeted intrusion activity historically targeting ICS networks, which can often span years. 

At this time, “we have not identified evidence of compromise of ICS networks by TAG-38 operators from our visibility, although we cannot discount this possibility. Given the prolonged targeting of both SLDCs and RLDCs within India, first from RedEcho and now in this latest TAG-38 activity, we believe this targeting is a strategic priority for these actors and is likely to continue,” the report added.

Last month, Israel’s State Comptroller Matanyahu Englman warned that hackers might try to exploit holes in the cyber oversight of the Israel Electric Company (IEC) to take down the country’s electricity network

“Cyber threats are increasing with the growth of the cyber arena and could lead to harm both in the digital and physical worlds, including power stations and assembly lines,” Englman wrote. He, for instance, cautioned that a cyberattack on Israel’s electrical network could lead to major economic damage and endanger human lives.

Earlier this week, the Symantec Threat Hunter team reported that a Chinese state-backed advanced persistent threat (APT) group, Cicada is attacking organizations around the globe in a likely espionage campaign that has been ongoing for several months. Victims in the Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) across countries worldwide, including in Europe, Asia, and North America.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness