New Delhi: China-linked hackers continue to target Indian entities despite New Delhi and Beijing’s efforts towards disengagement at the stand-off sites in Ladakh, according to the CEO of a US cyber intelligence firm that made news this week with a study about suspected Chinese malware attacks on Indian power infrastructure.
In an interview with ThePrint Thursday, Christopher Ahlberg, who co-founded the US-based Recorded Future, said the attacks “specifically” target the state-owned NTPC, India’s largest energy conglomerate.
On 28 February, Recorded Future released a report that claimed a coordinated campaign by a China-linked hacker group, nicknamed RedEcho by the US firm, targeted 10 Indian organisations in the power sector and two in the maritime sector. The cyber attacks, the report noted, increased as tensions between India and China rose in the wake of the June 2020 Galwan Valley clash. The group, according to Ahlberg, has state backing.
A New York Times report based on the study subsequently sought to question if last October’s Mumbai power outage — which stopped trains in their tracks and forced hospitals to turn on emergency generators — was a result of one such attack. Among other things, the report cited a November 2020 India Today article that discussed suspicions in the Maharashtra cyber department that the outage may be the result of a malware attack.
At the time, tensions between India and China were yet to cool down, with both countries staring at continued deployment in the forward areas through Ladakh’s bitter winter. In the months since, the situation has eased. Both countries disengaged at Pangong Tso in February and have “agreed to further disengagement” at other stand-off sites.
Ahlberg said about two-and-a-half weeks before their study was published, Recorded Future shared it with Indian authorities for an “early pre-read”. In 2020, too, the firm had notified the Indian Computer Emergency Response Team or CERT-In about the cyberattacks, he added.
CERT-In is the national nodal agency for responding to computer security incidents.
On 1 March, the Union Power Ministry said it had been notified of cyber threats from Chinese hackers twice by Indian government agencies dealing with cybersecurity. One alert had come from CERT-In on 19 November 2020 and the other from the National Critical Information Infrastructure Protection Centre (NCIIPC), which is designated with protecting critical information infrastructure against cyber terrorism and cyber warfare, on 12 February 2021.
The ministry said action was subsequently taken to secure the computer systems and “no data breach/data loss has been detected”.
After his firm shared the report with the Indian authorities, it noticed fewer cyber attacks, Ahlberg said. “Unfortunately”, he added, his firm was still observing some activity “as of two days ago”.
The “cyber activities continue”, despite India and China agreeing to disengage at the border, Ahlberg said. One such organisation that is still being targeted “specifically” — despite India’s efforts to block the hackers — is NTPC, Ahlberg added.
ThePrint has sent an email to India’s national cybersecurity coordinator Lt Gen. Rajesh Pant for a comment in this regard but was yet to receive a response by the time of publishing this report. An email to a contact listed on the NTPC website, and a WhatsApp message to the power ministry information officer have yet to elicit replies too.
‘Not for fun’
Based in Somerville, Massachusetts, Recorded Future claims to combine “analytics with human expertise to produce superior security intelligence that disrupts adversaries”.
On Ahlberg’s Twitter page, the header photo reads, “Elite Intelligence to Disrupt Adversaries” as an introduction for Recorded Future. The names of four countries are spelt out on the photo: Russia, China, Iran and North Korea.
Elaborating on the cyberattacks his firm observed with respect to India, Ahlberg said the targeted organisations “looked to me to be non-randomly spread” and selected so that the attack would take place “across the country in such a way that it would have maximum coverage”.
RedEcho, he said, is a “sophisticated group” that has established “sophisticated infrastructure” and is good at targeting specific entities.
This campaign was not done for “fun”, he added.
A hacker might target “one of these places for fun. But you’re not going to map them (victim organisations) out, and get in (to its network) and retain access over a long period of time” for superficial reasons, Ahlberg said.
It is not a “haphazard” operation, or a “guy in a basement doing something for fun”. “This is a government-backed organisation,” he added.
According to Ahlberg, cybercriminals looking for money won’t hack “Indian power stations”. “There are many ways to make money that are vastly much easier,” he said.
Ahlberg added that it is “not that common” to target utility sectors like power meant for civilian usage.
“To fiddle with civilian infrastructure, at least, traditionally, it has been out of line (for hackers),” Ahlberg said.
A possible reason for this cyberattack, he said, is for the China-linked hacker group to “signal” to the Indian government its capabilities to enter critical infrastructure networks, or to gain access within the network to perform other activity in the future.