Among the organisations that were targeted were NTPC Limited, five key regional load despatch centres that help in the management of the national power grid by balancing electricity supply and demand and two ports, says the study by Recorded Future, a US-based company

Chinese state-sponsored groups intruded into the computer networks of at least a dozen Indian state-run organisations, mainly power utilities and load despatch centres, since mid-2020 in an attempt to insert malware that could cause widespread disruptions, according to a new study.

Among the organisations that were targeted were NTPC Limited, the country’s largest power conglomerate, five key regional load despatch centres that help in the management of the national power grid by balancing electricity supply and demand and two ports, says the study by Recorded Future, a US-based company that tracks the use of the internet by state actors for cyber-campaigns.

All 12 organisations would qualify as critical infrastructure, according to the Indian National Critical Information Infrastructure Protection Centre’s (NCIIPC) definition.

The activity apparently began much before the clashes between Indian and Chinese troops in May 2020 that triggered the border standoff in Ladakh sector of the Line of Actual Control, and there was a “steep rise” from the middle of last year in the use of a particular software used by Chinese state-sponsored groups to target “a large swathe of India’s power sector”, Recorded Future said in its report.

The report further said the alleged intrusions by the Chinese groups, some with known links to the Ministry of State Security (MSS), or China’s main intelligence and security agency, and the People’s Liberation Army (PLA), were not limited to the power sector. There were apparent efforts to target numerous government and defence organisations, the report said.

“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations. The PlugX activity included the targeting of multiple Indian government, public sector, and defence organizations from at least May 2020,” the report said.

PlugX has been “heavily used by China-nexus groups for many years”, and throughout the rest of 2020, Recorded Future’s investigators “identified a heavy focus on the targeting of Indian government and private sector organizations by multiple Chinese state-sponsored threat activity groups”.

Although Recorded Future was unable to state whether the insertion of malware by the Chinese groups actually led to any disruptions, the report pointed to a massive power outage in Mumbai on October 13, 2020 that was allegedly caused by the insertion of malware at a state load dispatch centre in Padgha. Maharashtra power minister Nitin Raut had said at the time that authorities suspected sabotage was the cause of the outage.

The two-hour outage resulted in the closure of the stock exchange, while trains were cancelled and offices across Mumbai, Thane and Mavi Mumbai were shut down.

“At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated. However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres,” Recorded Future said in its reports.

Recorded Future identified the Chinese group involved in the intrusion activity as Red Echo and said it had strong overlaps – in terms of both the technology it uses and its victims – with other groups such as APT41/Barium and Tonto Team that have been involved in similar cyber-campaigns.

The 12 organisations targeted by Red Echo were Power System Operation Corporation Limited, NTPC Limited, NTPC’s Kudgi power plant, Western Regional Load Despatch Centre, Southern Regional Load Despatch Centre, North Eastern Regional Load Despatch Centre, Eastern Regional Load Despatch Centre, Telangana State Load Despatch Centre, Delhi State Load Despatch Centre, the DTL Tikri Kalan (Mundka) sub-station of Delhi Transco Ltd, VO Chidambaranar Port and Mumbai Port Trust.

All these groups use ShadowPad, a modular backdoor tool that has been used by China-backed groups in network intrusion campaigns since 2017.

“We assess that the sharing of ShadowPad is prevalent across groups affiliated with both Chinese Ministry of State Security (MSS) and groups affiliated with the People’s Liberation Army (PLA), and is likely linked to the presence of a centralized ShadowPad developer or quartermaster responsible for maintaining and updating the tool,” the report said.

Stuart Solomon, Recorded Future’s chief operating officer, told The New York Times that Red Echo “has been seen to systematically utilise advanced cyber intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure”.

While the activities of many Chinese-sponsored groups of hackers in the West have been linked to cyber and economic espionage, Recorded Future concluded Red Echo’s actions in India were aimed at potential access to networks and insertion of malware to “support Chinese strategic objectives”.

“Pre-positioning on energy assets may support several potential outcomes, including geostrategic signalling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation,” the report said.

Recorded Future reported its findings to India’s Computer Emergency Response Team (CERT-In), which acknowledged receipt of the information but didn’t say whether it had found the malware in the targeted organisations, The New York Times reported.