A grid failure on 12 October last year resulted in a major power outage in Mumbai and its surrounding areas, affecting electricity supply, local trains, etc. It took hours for the power supply to be gradually restored in a phase-wise manner. At the time, Maharashtra energy minister Nitin Raut had told the media, “There was islanding (a phenomenon that sees a distributed generator powering a location although electrical grid power is no longer present) in Mumbai which shouldn’t have happened… This is the reason that possibility of sabotage is suspected.”
In the months since Union Minister of State (Independent Charge) for Power RK Singh has suggested that the blackout resulted from human error.’ In contrast, Maharashtra home minister Anil Deshmukh, citing a preliminary report by the Maharashtra Police Cyber Cell, has claimed it was an act of cyber-sabotage that led to the events of 12 October. The full report by the cyber cell is due later this month.
On 28 February this year, Massachusetts-based cybersecurity firm Recorded Future released a report titled,’ China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions’ that points to the inflow of Chinese malware into India’s critical infrastructure systems that manage electricity supply. The report identifies RedEcho — a China-based advanced persistent threat (APT) group — as the entity behind attempts to infiltrate India’s power grids.
RedEcho and the Chinese threat
“We believe RedEcho to be a China-linked group due to a confluence of both non-technical and technical factors,” Recorded Future’s research team, the Insikt Group*, tells Firstpost in an email interaction, “From a technical perspective, the activity features strong technical overlaps with known Chinese State-sponsored groups, including the use of AXIOMATICASYMPTOTE infrastructure and ShadowPad malware, which we believe is unique to Chinese State-sponsored groups.”
There’s a lot to unpack here, and we’ll get around to each part shortly. Still, for now, the Insikt Group notes, “[The] targeting of these organizations offers limited economic espionage opportunities and their targeting most likely supports China’s national-level policy objectives. Finally, the targeting took place during a time period of heightened diplomatic tensions and occasional violence along the India-China border.”
For those not in the know, AXIOMATICASYMPTOTE is the Recorded Future name for a group of servers used to conduct targeted intrusion activity from Chinese-linked threat groups. The Insikt Group elaborates, “These servers are detected via a proprietary fingerprinting method, which includes servers that have been used to administer ShadowPad infections in the past. ShadowPad is a malware family reported to have been used by at least five different Chinese State-sponsored groups.”
Returning to India’s topic, the Recorded Future report states that since early 2020, a large increase in suspected targeted intrusion activity against Indian organizations from Chinese State-sponsored groups has been observed. According to the Insikt Group, “Recorded Future proactively tracks the creation and use of internet infrastructure used by cyber threat actors through a method we call Adversary Infrastructure Detection. This, combined with large-scale Network Traffic Analysis, allows us to detect suspicious activity across the internet emanating from threat actor infrastructure. These data points allow us to produce intelligence relating to cybercriminal and State-sponsored threat activity.”
This time around, Recorded Future identified servers, fingerprinted as AXIOMATICASYMPTOTE, in sustained and regular communication with multiple devices across at least 10 different Indian power sector organizations and two Indian seaports. The map below depicts the location of these 12 critical systems and the extent of their influence.
Insikt Group research indicates that communication between RedEcho servers and one of these targeted entities — VO Chidambaranar Port in Tamil Nadu — was observed till as recently as last week. However, the group points out, “We have not observed any related communications to any of the targeted entities listed in the RedEcho research since 2 March.”
Mumbai blackout: Cyberattack or human error?
As stated in the report, Insikt Group reiterates, “[Any] links between the October 2020 Mumbai power outage and the RedEcho targeted network intrusions remain unsubstantiated.” The Government of India was notified of the group’s RedEcho research on 10 February, and “an affirmative response acknowledging receipt of our notification was received within a few days,” says Recorded Future’s Insikt Group.
As mentioned at the start, the Union power ministry has blamed human error for the Mumbai blackout and not a cyber attack, while the state home ministry has dubbed it an act of cyber sabotage.
“It is our understanding that the Mumbai outage is still under investigation by the Maharashtra [Police’s] Cyber Cell, and a report on the incident is due to be released at some time in March. Recorded Future’s RedEcho analysis revealed a widespread targeted campaign targeting 10 distinct power sector organizations, but we did not see any malicious activity targeting the Maharashtra State Load Despatch Centre. For that reason, we are unable to speculate on any attribution claims concerning that specific incident without any relevant technical data or evidence,” the Insikt Group clarifies.
In other words, RedEcho, a China-linked group, has conducted targeted intrusions into at least 12 critical systems in India. Still, the Mumbai blackout cannot be conclusively linked to the group or the State behind it as of the time of writing. But that doesn’t mean it can’t happen in the future.
India in the crosshairs
The report outlines that in the lead-up to the May 2020 skirmishes between the Indian Army and the People’s Liberation Army in Ladakh’s Galway Valley, a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations’. What does this all mean?
For starters, PlugX is a remote access trojan (RAT) used by several China-linked threat groups since at least 2008. The Insikt Group also points out that several Chinese state-sponsored APT groups have used PlugX in their targeted intrusions over the years. The malware evolving significantly throughout, indicating a sustained development effort is in place. Since 2008, there have been hundreds of reports of PlugX being used by Chinese State-sponsored groups to conduct targeted intrusions against a wide variety of organizations around the world, including the Vatican and Catholic Church entities, NGOs in Hong Kong, and global managed security service providers (MSSPs).
“The widespread use of PlugX across a varied targeting profile clearly demonstrates that it is a preferred tool of choice for Chinese intelligence-gathering activity,” adds the Insikt Group, “Throughout 2020, we observed a noticeable increase in the targeting of Indian organizations from China-linked groups using malware such as PlugX. Suspected victims included entities within the Indian energy, defense, transportation sectors as well as government departments.”
The implications of the increase in PlugX activity targeting Indian entities in 2020 align with the growing bilateral tensions between India and China stemming from the border skirmishes in May last year. Like provocations on the Line of Actual Control, Chinese cyber espionage activity typically aligns with Chinese Communist Party policy directives. So Recorded Future assesses that the increased targeting of Indian organizations is a signal indicating an increased priority in gathering intelligence on Indian assets.
“There is no current evidence to suggest RedEcho employed a capability to target Industrial Control Systems (ICS) used for physical control of infrastructure,” says Recorded Future’s research group, but warns, “However, it is plausible that the group may use the same techniques demonstrated against the Indian power sector and two seaports to preposition, signal, or potentially conduct info-ops enablement-related intrusion activity against other critical infrastructure networks that are connected to the internet.”
The 28 February report notes “a heavy focus on targeting Indian private sector organizations by multiple Chinese State-sponsored threat activity groups.” To a request for the names of some of these private sector organizations or the sectors in which they operate, the Insikt Group says, “Other than the names of organizations listed in our RedEcho research, such as NTPC, we are unable to name specific Indian companies targeted by Chinese State-sponsored threat groups for confidentiality purposes.”
How Recorded Future locates threats
Across the world and despite concerns for a decade that China-linked groups have had an intent or capability to target critical infrastructure, reports of targeting critical infrastructure for disruption from Chinese groups are rare. However, the Insikt Group says several reports of Chinese groups such as APT41/Barium targeting oil and gas entities for espionage and potentially reconnaissance purposes have surfaced.
Recorded Future tracks several dozen groups spanning across China, Russia, North Korea, Iran, and other countries and major cybercrime groups. “At present we have Adversary Infrastructure Detections in place for over 80 distinct malware families, allowing us to identify suspicious network intrusion activity across our visibility,” says the Insikt Group, “Attributing threat activity to a specific group is a complex process: We use the Diamond Model of Intrusion Analysis to group evidence gathered from specific technical data points to cluster threat activity. These data points include distinct malware artifacts, IPs, domains, and URLs used as infrastructure for intrusions, as well as profiling the victimology of a specific campaign or attack alongside any technical indications of the adversary identity (email addresses, social media handles, etc.).”
“All of this data is compiled into discrete observations and clustered into groupings that allow us to track threats over time and attribute activity to groups. If our observations overlap with other publicly reported groups, then that allows us to make assessments on attribution and links to those groups,” the Insikt Group adds.