New Delhi: Speculation is rife whether last October’s massive power outage in Mumbai was caused by hackers linked to China after a New York Times report claimed there had been a cyber campaign targeting India amid the border standoff in Ladakh.
Maharashtra’s Energy Minister Nitin Raut Monday confirmed that the outage, which brought Mumbai to a near stop for several hours on 12 October, was a result of a cyberattack and called it “sabotage”. However, he didn’t elaborate further on where the cyberattack originated from.
The NYT report, dated 28 February, is based on a report by American cybersecurity firm Recorded Future, titled ‘China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions’. The study talked of a “campaign conducted by a China-linked threat activity group, RedEcho, targeting the Indian power sector”.
It identified 12 critical infrastructure entities in India that could have been targeted, which includes 10 power sector organisations and two maritime sector organisations.
Recorded Future had cited regional media in its report to say the power disruption was likely caused by malware found at an electricity despatch center near Mumbai. Despatch centres manage and monitor the efficient transmission of electricity through the power grid.
But the firm added: “At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated.”
The Union power ministry issued a report Monday, stating it had received an email from the Indian Computer Emergency Response Team (CERT-In) on 19 November 2020 about a malware threat ShadowPad “at some control centres of POSOCO (Power System Operation Corporation Limited)”.
The malware ShadowPad has been linked to China-backed hackers in the past.
The ministry said it had also received an email on 12 February 2021 from the National Critical Information Infrastructure Protection Centre (NCIIPC) that said, “Chinese state-sponsored threat Actor group known as Red Echo is targeting Indian Power sector’s Regional Load Dispatch Centres (RLDCs) along with State Load Dispatch Centres (SLDCs).”
The ministry said action had been taken to secure the computer systems and “no data loss” had been detected.
CERT-in is the national nodal agency for responding to computer security incidents while the NCIIPC is designated with protecting critical information infrastructure against cyber terrorism and cyber warfare.
RedEcho and how we know it’s linked to China
Recorded Future linked the group of hackers, which it nicknamed RedEcho, to China because it used infrastructure connected to the malware ‘ShadowPad’, attributed to other Chinese hacker groups.
Since early 2020, the firm said, it observed a “large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups”.
“Mid-2020 onwards”, the firm noted, “a steep rise in the use of infrastructure” linked to ShadowPad malware “to target a large swathe of India’s power sector”.
The ShadowPad link
ShadowPad was discovered in 2017. The malware had been injected into software updates provided by a legitimate software provider, NetSarang, that is headquartered in the US and South Korea.
According to cybersecurity and antivirus provider Kaspersky, NetSarang was not aware that its supply chain had been compromised and its software updates were carrying the malicious code.
The ShadowPad malware steals data from a ‘victim’ computer and is able to automatically communicate with the computer servers at the hacker’s end. Once every eight hours, ShadowPad sends back information like user name, domain name, host name to the hacker’s computer system.
When an “interesting” target is found, the hacker’s computer server can seek more information from the victim system via the malware and even deploy more malicious code.
The 2017 ShadowPad hack was attributed to ‘APT41’, the Recorded Future report said.
APT41 is a prolific cyber threat group that carries out “Chinese state-sponsored espionage activity” apart from financially motivated activity “potentially outside of state control”, according to cybersecurity firm FireEye.
Since 2012, the group has targeted organisations in at least 14 countries and is known to steal intellectual property.
“Presently, we are aware of at least 5 Chinese threat activity groups using ShadowPad, including APT41, Tonto Team, groups using the Icefog malware, KeyBoy, and Tick”, the study noted.
“We assess that the sharing of ShadowPad is prevalent across groups affiliated with both Chinese Ministry of State Security (MSS) and groups affiliated with the People’s Liberation Army (PLA)”, the study adds.
RedEcho shadow on critical Indian sectors
Recorded Future did not specify exactly how the hackers would have accessed India’s critical sector, according to Yash Kadakia, chief technology officer of Mumbai-based cybersecurity firm Security Brigade InfoSec.
Kadakia, who went through the study, said: “It is difficult for a private, outside entity to confirm how or what the attackers access on victim computers without the government allowing the company to access those targeted computer systems.”
According to its report, the US cybersecurity firm had identified that an internet address of an Indian critical sector organisation was potentially sending data back to an internet domain set up by RedEcho. The study detected that on 30 December 2020, “at least 1.29 MB” of data was sent back to an internet address linked to RedEcho from a victim’s internet address.
However, the 1 March power ministry statement refutes this. It stated that “no communication & data transfer” to internet addresses linked to RedEcho had taken place.
According to Recorded Future, among the list of “suspected victim organizations” are the Power System Operation Corporation Limited (POSOCO), regional-level electricity Load Despatch Centres for West, South, Northeastern and Eastern parts of the country, state-level electricity load despatch centres for Telangana and Delhi, and the Mumbai Port Trust.