Chinese cybercriminals are targeting the Indian power sector, according to a report by US-based cybersecurity company Recorded Future. The two Asian giants may be disengaging on the ground but relations do not seem to have thawed in the realm of cybersecurity.
An investigation conducted by the firm’s Insikt Group claims to have discovered a steep rise in the attacks against many companies in India’s power sector.
“10 distinct Indian power sector organisations, including 4 or the 5 Regional Load Despatch Centres (RLDC)… have been identified as targets in a concerted campaign against India’s critical infrastructure,” said the report. Chidambaranar and Mumbai ports were also identified as targets.
However, Recorded Future pointed out that infiltration of RLDCs have very little to offer in terms of meeting any economic espionage objectives. But it does have its uses.
Regardless of whether the attack itself was severe or not, the electric grid falls into the critical infrastructure category. The report believes such attacks are ideal for posturing and can deliver potential outcomes such as:
- To be a robust signaling message as a ‘show of force’
- To enable influence operations to sway public opinion during a diplomatic confrontation
- To support potential destructive cyber operations against critical infrastructure in the future
These points are key because the discovery of the attack comes at a time when Indo-Sino relations are tense and disengagement attempts on-going along the Line of Actual Control (LAC).
The two Asian giants were involved in their first fatal border clash in 45 years in June last year. Since then, their military forces have been locked in a face-off along multiple frictions points in Leh, especially along the southern banks of Pangong Tso Lake.
Who are these Chinese Hackers?
The first thing to note is that these attacks were using ShadowPad, which is one of the largest known supply-chain attacks, according to cybersecurity firm Kaspersky.
It is a covert background malware, which hides inside legit software. Once activated, it allows hackers to access the system in order to install more malicious software or steal data.
Even though the investigators spotted some overlaps with other cybercriminal groups — like APT41, known for the NetSarang incident using ShadowPad, and Tonto Team — they don’t believe that there is enough evidence to pin the blame on any known perpetrators.
In addition to APT41 and Tonto Team, ShadowPad is used by at least three other distinct Chinese groups. So, instead, this closely-related but distinct activity group has been dubbed RedEcho.