Chinese hacker groups target Indian Power Grid
China-linked adversaries have been attributed to an ongoing onslaught against Indian power grid organizations, one year after a concerted campaign targeting critical infrastructure in the country came to light.
Most of the intrusions involved a modular backdoor named ShadowPad, according to Recorded Future’s Insikt Group, a sophisticated remote access trojan that has been dubbed a “masterpiece of privately sold malware in Chinese espionage.”
The goal of the sustained campaign, the cybersecurity company said, is to facilitate intelligence gathering pertaining to critical infrastructure systems in preparation for future contingency operations. The targeting is believed to have commenced in September 2021.
The attacks took aim at seven State Load Despatch Centres (SDLCs) located primarily in Northern India, in particular those close to the disputed India-China border in Ladakh, with one of the targets victimized in a similar attack disclosed in February 2021 and attributed to the RedEcho group.
Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion
The 2021 RedEcho attacks involved the compromise of 10 distinct Indian power sector organizations, including six of the country’s regional and state load despatch centers (RLDC), two ports, a nation power plant, and a substation.
Recorded Future linked the latest set of malicious activities to an emerging threat cluster it’s tracking under the moniker Threat Activity Group 38 aka TAG-38 (similar to the UNC#### and DEV-#### designations given by Mandiant and Microsoft), citing “notable distinctions” from that of the previously identified RedEcho TTPs.
In addition to attacking power grid assets, TAG-38 impacted a national emergency response system and the Indian subsidiary of a multinational logistics company.
Although the initial infection vector used to breach the networks is unknown, the ShadowPad malware on the host systems was commandeered by means of a network of infected internet-facing DVR/IP camera devices geolocated in Taiwan and South Korea.
Following the disclosure, India’s Union Power Minister R. K. Singh characterized the intrusions as unsuccessful “probing attempts” at hacking which happened in January and February, and that the government is constantly reviewing its cybersecurity mechanisms to bolster defenses.
Chinese hacker groups target Indian Power Grid
