Cyber attackers linked to the Chinese military likely broke into the networks of seven power grid centers in northern India, a US cybersecurity research group said on Thursday, with at least some of the targeting confirmed by a minister who said that the attempts had not succeeded.
The incident is the latest in a string of cyber espionage attributed to China-based groups, with past attacks targeting critical infrastructure such as power plants and private organizations in sensitive sectors like defense and finance.
“Two attempts by Chinese hackers were made to target power distribution centers near Ladakh but failed…We have already strengthened our defense system to counter such cyberattacks,” RK Singh, Minister of the Union for Electricity and New and Renewable Energies, told the ANI news agency.
Hours earlier, US cyber threat intelligence firm Recorded Future published a report saying it had found evidence that “at least seven Indian State Load Dispatch Centers (SLDCs)” and a subsidiary of a multinational logistics company were targeted by a group linked to China. that it bears the code name TAG-38.
This is the third such attempt reported in just over a year. In March 2021, Recorded Future published the findings of another China-linked cyber espionage campaign that targeted India’s power grid, attributing the campaign to a group it calls RedEcho. Later in June, Recorded Future identified RedFoxtrot, a second linked to China, as having targeted Indian telecommunications companies, government agencies and defense contractors.
Among these, the government confirmed attacks linked to RedEcho at the time.
Following last year’s disclosure, the Recorded Future report on Thursday said there “was a short lull” in the activities of China-linked adversaries the company was tracking.
But, “since at least September 2021, we have observed TAG38 intrusions targeting identified victim organizations” with activity continuing through at least March 2022.
The company said such “prolonged targeting of Indian power grid assets by Chinese state-linked groups” is unlikely to generate significant economic or traditional intelligence-gathering opportunities. “We believe this targeting is more intended to enable the collection of information about critical infrastructure systems or prepositions itself for future activity,” he added.
Crucially, the report notes that there was still no evidence that the attackers had reached what is known as the Industrial Control System (ICS) environment. The ICS environment is typically an isolated network layer that houses the systems involved in critical functions – in the most recent case, that function would be power routing and load balancing.
Technical analysis of the new attempt found evidence the attackers were using a malware family called ShadowPad, which has been widely attributed to China-linked cyber operations. Evidence of its use was also found in the last two India-focused activities.
“We have observed long-standing communication between victimized SLDC networks and ShadowPad C2 servers (command and control), which is most likely indicative of ShadowPad infections within these networks,” HT told HT via email. someone from Recorded Future’s Insikt group on threats.
“ShadowPad is a modular backdoor that provides an attacker with an array of capabilities, including the ability to extract information about the victim machine, execute commands, transfer data, interact with the file system and registry, and to deploy new modules to extend functionality (such as keylogging and screen recording),” the person added.
Recorded Future did not identify the exact SLDCs targeted, but a map of victim organizations in its report suggests they were in Uttarakhand, Himachal Pradesh, Rajasthan, Uttar Pradesh and Delhi.
The company linked the activity to suspected Chinese actors by discovering that the victim networks communicated with known ShadowPad command-and-control servers and through a unique security certificate that has “multiple links to more spying activity.” broad sponsored by China”.
The person quoted above gave new information about the spy attempt, saying the attackers used compromised internet-connected security cameras and surveillance video recorders located in South Korea and Taiwan to route their ” command and control” of the intrusion into Indian targets.
“Essentially, malware on a victim network is configured to communicate with an external C2 server to allow an attacker to send commands and transfer data. In this case, these C2 servers were compromised third-party IP camera/DVR devices under the control of the attacker. This is likely an attempt to make traffic benign and hamper attribution efforts,” the person said.
A Chinese Foreign Ministry official said the government does not support such activity. “We have taken note of the relevant reports. We have repeatedly said that China firmly opposes all forms of piracy and fights it in accordance with law, remembering that it will not encourage, support or tolerate hacking attacks,” said the door. -speech Zhao Lijian, alleging the findings were intended to “sow discord” and “throw dirty water on China”.
India’s Computer Emergency Response Team (Cert-In) did not respond to HT’s request for comment.