Chinese state-sponsored groups intruded into the computer networks of at least a dozen Indian state-run organisations, mainly power utilities and load dispatch centres, since mid-2020 in an attempt to insert malware that could cause widespread disruptions, according to a new study.
Among the organisations that were targeted were NTPC Limited, the country’s largest power conglomerate, five key regional load dispatch centres that help in the management of the national power grid by balancing electricity supply and demand and two ports, says the study by Recorded Future, a US-based company that tracks the use of the internet by state actors for cyber-campaigns.
All 12 organisations would qualify as critical infrastructure, according to the Indian National Critical Information Infrastructure Protection Centre’s (NCIIPC) definition. The activity apparently began much before the clashes between Indian and Chinese troops in May 2020 that triggered the border standoff in Ladakh sector of the Line of Actual Control, and there was a “steep rise” from the middle of last year in the use of a particular software used by Chinese state-sponsored groups to target “a large swathe of India’s power sector”, Recorded Future said in its report.
The report further said the alleged intrusions by the Chinese groups, some with known links to the Ministry of State Security (MSS), or China’s main intelligence and security agency, and the People’s Liberation Army (PLA), were not limited to the power sector. There were apparent efforts to target numerous government and defence organisations, the report said.
“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations. The PlugX activity included the targeting of multiple Indian government, public sector, and defense organizations from at least May 2020,” the report said. PlugX has been “heavily used by China-nexus groups for many years”, and throughout the rest of 2020, Recorded Future’s investigators “identified a heavy focus on the targeting of Indian government and private sector organizations by multiple Chinese state-sponsored threat activity groups”.
Recorded Future identified the Chinese group involved in the intrusion activity as Red Echo and said it had strong overlaps – in terms of both the technology it uses and its victims – with other groups such as APT41/Barium and Tonto Team that have been involved in similar cyber-campaigns.
The 12 organisations targeted by Red Echo were Power System Operation Corporation Limited, NTPC Limited, NTPC’s Kudgi power plant, Western Regional Load Dispatch Centre, Southern Regional Load Dispatch Centre, North Eastern Regional Load Dispatch Centre, Eastern Regional Load Dispatch Centre, Telangana State Load Dispatch Centre, Delhi State Load Dispatch Centre, the DTL Tikri Kalan (Mundka) sub-station of Delhi Transco Ltd, VO Chidambaranar Port and Mumbai Port Trust.