- China may have targeted power facilities across India last year
- China-linked threat activity group RedEcho may have planted malware
- Flow of malware was detected by Recorded Future, a US-based company
The government today reacted to a report that stated that Chinese hackers may have planted malware in key Indian power plants in the middle of hostilities at the border. The report says this may have resulted in massive power outage in Mumbai in October, which stopped trains and shut down hospitals and the stock exchange for hours. While denying that the power grid was impacted by the malware, the government says it is aware of the threat from Chinese state sponsored hackers including those named in the report.
The study by US-based Recorded Future shows that alongside the Ladakh tensions, which escalated in June with the clash at Galwan Valley in which 20 Indian soldiers died for the country, Chinese malware was flowing into systems that manage power supply across India.
The Ministry of Power said prompt action had been taken and there was "no impact" on any of the facilities due to the "referred threat".
"No data breach/ data loss has been detected due to these incidents," it said, but did not mention the Mumbai outage. On February 12, India's National Critical Information Infrastructure Protection Centre had alerted the power ministry of the threat by Chinese state-sponsored hackers.
China-linked threat activity group RedEcho may have planted malware in key power plants in India, said the study first reported by New York Times. The links to the Mumbai power cut "provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres," said the study that indicated some of the country's most sensitive national infrastructure is vulnerable to systematic attacks from Chinese hackers using state of the art viruses that hack into systems.
The flow of malware was detected by Recorded Future, a Massachusetts-based company that analyses online digital threats. It found that most of the malware was never activated. And because Recorded Future could not get inside India's power systems, it could not examine the details of the code itself, which was placed in strategic power-distribution systems across the country.
Since early 2020, Recorded Future's Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organisations from Chinese state-sponsored groups, said the report.
"From mid-2020, Recorded Future's midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control servers, to target a large swathe of India's power sector. 10 distinct Indian power sector organisations, including four of the five regional load dispatch centres responsible for the operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India's critical infrastructure. Other targets identified include two Indian seaports," the report said.
Shadow Pad is the name of the malware and Red Echo is the name of the group.
There was a "clear and consistent pattern of Indian organizations being targeted in this campaign through the behavioural profiling of network traffic to adversary infrastructure", said Recorded Future, an assessment that the government agrees with.
A total of 21 IP addresses linked to 12 Indian organizations in the power generation and transmission sector - classified as critical - were targeted.
The report said media reports had previously linked the October 12 power outage in Mumbai to malware at a Padgha-based State Load Despatch Centre. "At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated. However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres," said the report.
It took two hours for the power supply to resume, and Maharashtra Chief Minister Uddhav Thackeray ordered an enquiry into the reported grid failure.
This comes on a day when Reuters has reported that another Chinese state-backed hacking group recently targeted the IT systems of Bharat Biotech and the Serum Institute of India, the two Indian vaccine-makers whose coronavirus shots are now being rolled out across India.