Across the world and despite concerns for a decade that China-linked groups have had an intent or capability to target critical infrastructure, reports of targeting critical infrastructure for disruption from Chinese groups are rare
A grid failure on 12 October last year resulted in a major power outage in Mumbai and its surrounding areas, affecting electricity supply, local trains etc. It took hours for the power supply to be gradually restored in a phase-wise manner. At the time, Maharashtra energy minister Nitin Raut had told the media, “There was islanding (a phenomenon that sees a distributed generator powering a location although electrical grid power is no longer present) in Mumbai which shouldn’t have happened… This is the reason that possibility of sabotage is suspected.”
In the months since, Union Minister of State (Independent Charge) for Power RK Singh has suggested that the blackout was a result of ‘human error’, while Maharashtra home minister Anil Deshmukh, citing a preliminary report by the Maharashtra Police Cyber Cell, has claimed it was an act of cyber sabotage that led to the events of 12 October. The full report by the cyber cell is due later this month.
On 28 February this year, Massachusetts-based cyber security firm Recorded Future released a report titled,’China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions’ that points to the inflow of Chinese malware into India’s critical infrastructure systems that manage electricity supply. The report identifies RedEcho — a China-based advanced persistent threat (APT) group — as the entity behind attempts to infiltrate India’s power grids.
RedEcho and the Chinese threat
“We believe RedEcho to be a China-linked group due to a confluence of both non-technical and technical factors,” Recorded Future’s research team, the Insikt Group*, tells FP in an email interaction, “From a technical perspective, the activity features strong technical overlaps with known Chinese State-sponsored groups, including the use of AXIOMATICASYMPTOTE infrastructure and ShadowPad malware, which we believe is unique to Chinese State-sponsored groups.”
There’s a lot to unpack here, and we’ll get around to each part shortly, but for now, the Insikt Group notes, “The] targeting of these organisations offers limited economic espionage opportunities and their targeting most likely supports China’s national-level policy objectives. Finally, the targeting took place during a time period of heightened diplomatic tensions and occasional violence along the India-China border.”
For those not in the know, AXIOMATICASYMPTOTE is the Recorded Future name for a group of servers used to conduct targeted intrusion activity from Chinese-linked threat groups. The Insikt Group elaborates, “These servers are detected via a proprietary fingerprinting method, which includes servers that have been used to administer ShadowPad infections in the past. ShadowPad is a malware family reported to have been used by at least five different Chinese State-sponsored groups.”
Returning to the topic of India, the Recorded Future report states that since early 2020, a large increase in suspected targeted intrusion activity against Indian organisations from Chinese State-sponsored groups has been observed. According to the Insikt Group, “Recorded Future proactively tracks the creation and use of internet infrastructure used by cyber threat actors through a method we call Adversary Infrastructure Detection. This, combined with large-scale Network Traffic Analysis, allows us to detect suspicious activity across the internet emanating from threat actor infrastructure. These data points allow us to produce intelligence relating to cyber criminal and State-sponsored threat activity.”
This time around, Recorded Future identified servers, fingerprinted as AXIOMATICASYMPTOTE, in sustained and regular communication with multiple devices across at least 10 different Indian power sector organisations and two Indian seaports. The map below depicts the location of these 12 critical systems and the extent of their influence.
Insikt Group research indicates that communication between RedEcho servers and one of these targeted entities — VO Chidambaranar Port in Tamil Nadu — was observed till as recently as last week. However, the group points out, “We have not observed any related communications to any of the targeted entities listed in the RedEcho research since 2 March.”
Mumbai blackout: Cyber attack or human error?
As stated in the report, Insikt Group reiterates, “[Any] links between the October 2020 Mumbai power outage and the RedEcho targeted network intrusions remain unsubstantiated.” The Government of India was notified of the group’s RedEcho research on 10 February and “an affirmative response acknowledging receipt of our notification was received within a few days”, says Recorded Future’s Insikt Group.
As mentioned at the start, the Union power ministry has blamed human error for the Mumbai blackout and not a cyber attack, while the state home ministry has dubbed it an act of cyber sabotage.
“It is our understanding that the Mumbai outage is still under investigation by the Maharashtra [Police’s] Cyber Cell and a report on the incident is due to be released at some time in March. Recorded Future’s RedEcho analysis revealed a widespread targeted campaign targeting 10 distinct power sector organisations, but we did not see any malicious activity targeting the Maharashtra State Load Despatch Centre. For that reason, we are unable to speculate on any attributory claims with respect to that specific incident without any relevant technical data or evidence,” the Insikt Group clarifies.
In other words, RedEcho, a China-linked grouped, has conducted targeted intrusions into at least 12 critical systems in India, but, the Mumbai blackout, as of the time of writing, cannot be conclusively linked to the group or the State behind it. But that doesn’t mean it can’t happen in the future.
India in the crosshairs
The report outlines that in the lead-up to the May 2020 skirmishes between the Indian Army and the People’s Liberation Army in Ladakh’s Galwan Valley, a noticeable increase in the ‘provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organisations’. What does this all mean?
For starters, PlugX is a remote access trojan (RAT) used by several China-linked threat groups since at least 2008. The Insikt Group also points out that several Chinese state-sponsored APT groups have used PlugX in their targeted intrusions over the years, with the malware evolving significantly throughout indicating a sustained development effort is in place. Since 2008, there have been hundreds of reports of PlugX being used by Chinese State-sponsored groups to conduct targeted intrusions against a wide variety of organisations around the world including the Vatican and Catholic Church entities, NGOs in Hong Kong, and global managed security service providers (MSSPs).
“The widespread use of PlugX across a varied targeting profile clearly demonstrates that it is a preferred tool of choice for Chinese intelligence gathering activity,” adds the Insikt Group, “Throughout 2020, we observed a noticeable increase in the targeting of Indian organisations from China-linked groups using malware such as PlugX. Suspected victims included entities within the Indian energy, defence, transportation sectors as well as government departments.”
The implications of the increase in PlugX activity targeting Indian entities in 2020 align with the growing bilateral tensions between India and China stemming from the border skirmishes in May last year. Just as with provocations on the Line of Actual Control, Chinese cyber espionage activity typically aligns with Chinese Communist Party policy directives and so Recorded Future assesses that the increased targeting of Indian organisations is a signal indicating an increased priority in gathering intelligence on Indian assets.
“There is no current evidence to suggest RedEcho employed a capability to target Industrial Control Systems (ICS) used for physical control of infrastructure,” says Recorded Future’s research group, but warns, “However, it is plausible that the group may use the same techniques demonstrated against the Indian power sector and two seaports to preposition, signal, or potentially conduct info-ops enablement-related intrusion activity against other critical infrastructure networks that are connected to the internet.”
The 28 February report notes “a heavy focus on the targeting of Indian private sector organisations by multiple Chinese State-sponsored threat activity groups”. To a request for the names of some of these private sector organisations or the sectors in which they operate, the Insikt Group says, “Other than the names of organisations listed in our RedEcho research, such as NTPC, we are unable to name specific Indian companies targeted by Chinese State-sponsored threat groups for confidentiality purposes.”
How Recorded Future locates threats
Across the world and despite concerns for a decade that China-linked groups have had an intent or capability to target critical infrastructure, reports of targeting critical infrastructure for disruption from Chinese groups are rare. However, the Insikt Group says several reports of Chinese groups such as APT41/Barium targeting oil and gas entities for espionage and potentially reconnaissance purposes have surfaced.
Recorded Future tracks several dozen groups spanning across China, Russia, North Korea, Iran and other countries, as well as major cybercrime groups. “At present we have Adversary Infrastructure Detections in place for over 80 distinct malware families, allowing us to identify suspicious network intrusion activity across our visibility,” says the Insikt Group, “Attributing threat activity to a specific group is a complex process: We use the Diamond Model of Intrusion Analysis to group together evidence gathered from specific technical data points in order to cluster threat activity. These data points include distinct malware artefacts, IPs, domains and URLs used as infrastructure for intrusions, as well as profiling the victimology of a specific campaign or attack alongside any technical indications of the adversary identity (email addresses, social media handles etc).”
“All of this data is compiled into discrete observations, and clustered into groupings that allow us to track threats over time and attribute activity to groups. If our observations overlap with other publicly reported groups, then that allows us to make assessments on attribution and links to those groups,” the Insikt Group adds.
* The interviewee requested anonymity and chose to be identified as Recorded Future’s Insikt Group as all answers were given on behalf of the research unit
Subscribe to Moneycontrol Pro at ₹499 for the first year. Use code PRO499. Limited period offer. *T&C apply