Chinese ops target India’s energy infra
A SECURITY CONSULTANCY SAID ATTACKERS TARGETED AT LEAST ‘10 DISTINCT POWER SECTOR ORGANISATIONS’ WITH A MALWARE
NEW DELHI/MUMBAI: Chinese government linked attackers possibly gained access to computer networks part of India’s power infrastructure, a Us-based cybersecurity firm has said, citing technical clues that federal power ministry officials separately said had been on their radar, fuelling speculation that a blackout in Mumbai last year may have been the result of sabotage.
First reported by the New York Times on Monday, security consultancy Recorded Future said the attackers (which it calls Redecho) targeted at least “10 distinct power sector organisations” with a malware known as Shadowpad.
Hours after the disclosure, the Union power ministry said it had received inputs from Indian agencies — first in November and then again in February this year — about the threat of infection from Shadowpad, prompting remedial measures to be taken.
“The IPS mentioned in Redecho related advisory are matching with those given in Shadowpad Incidents already informed by CERT-IN in the month of November, 2020,” said a statement by the Union power ministry, which added that “there is no impact on any of the functionalities carried out by POSOCO (Power System Operation Corporation Limited) due to the referred threat,” the ministry said.
“No data breach/ data loss has been detected due to these incidents.”
The statement appeared to suggest that the attacks were not behind the October 12, 2020 power outage in Mumbai that had lasted up to 12 hours in some parts of India’s financial capital, bringing the city’s local trains to a halt and forcing the airport to switch to back-up supply.
Recorded Future’s Insikt Group, the cyber threat intelli
gence division, also referred to the Mumbai blackout but said it did not have forensics evidence to link the incident to the Chinalinked campaign.
In Maharashtra, however, state home minister Anil Deshmukh separately said on Monday the state police suspects a cyber attack to be the reason for the power cut in Mumbai.
“Some 14 trojan horses may have introduced in the server of the Maharashtra State Electricity Board (MSEB), data of around 8GB may have transferred from unaccounted foreign servers, similarly, login may have been made by blacklisted IP addresses in the MSEB server,” Deshmukh said, citing the preliminary probe of the cyber police following analysis of the supervisory control and data acquisition (SCADA) networks.
Deshmukh did not give details about what malware was used or the identity of the attackers.
The disclosures of the attempts of sabotage of critical infrastructure by Chinese operatives point to the possibility of an unprecedented escalation of conflict between India and China in the cyberspace, almost a year after the two countries had a bitter border confrontation, including the first fatal clash between their troops in decades. The two sides have since stepped back from the border stand-off.
According to Recorded Future’s Insikt Group, the campaign targeted “a large swathe of India’s power sector” and shares the same digital infrastructure and left similar footprints as other Chinese actors, which too use Shadowpad, a modular backdoor malware that can hand attackers full control over a computer system.
“We believe that the suspected intrusions identified formed part of an active campaign targeting critical infrastructure which resulted in the group gaining network access to the entities identified within the report,” Insikt Group (the cyber intelligence division) said in response to questions from HT.
The attacks may have been meant to signal a “show of force”, enable influencing operations to sway public opinion or lay the foundation for future disruptive cyber operations against critical infrastructure, the group said.
The group told HT that it alerted Indian officials in early February, and that Redecho appeared to be focussed only on India. “Redecho likely used a custom malware variant which, coupled with the concerted targeting effort, is indicative of a well-resourced group,” it said, adding that more specific commentary would require additional forensic data.
Experts tracking cybersecurity and geopolitics said the report does not conclusively implicate China at the technical level and any official, public attribution by the Indian government is unlikely. “Such a statement naturally has serious repercussions for our foreign policy and security strategy and should ideally be done by the Centre. The Committee investigating the outage too, should be careful as to the extent of certainty offered by their fact finding and the conclusions that can be reasonably inferred,” said Gunjan Chawla, programme manager, technology and national security, at Centre for Communication Governance, National Law University Delhi.
But, she added, “what we do know for a fact from the NYT report is that there was a cyber intrusion into our power networks. If we assume that China did do this to signal the range and potential of its cyber capabilities, the most worrying aspect for this is the illusory picture of national security being painted as a true picture of the state of our nation’s cyber security, which remains hidden from the general public”.