A Chinese government-linked group of hackers targeted India's critical power grid system through malware, Recorded Future, a Massachusetts-based company, had said in its latest study

China did not succeed in its attempt to cause power outages in India, even though their hackers did make an attempt to disrupt the power supply, Union Power ministry sources said on Monday, even as Maharashtra Energy Minister Nitin Raut confirmed that the power outage in Mumbai in October last year was caused by a cyberattack” and was an act of “sabotage. China has since rubbished the report and called it ‘fabricated and speculation’.

Ministry officials say that on November 19, an Indian Computer Emergency Response Team (CERTIN) received an email that spoke about a threat of malware called Shadow Pad at some control centres of Power System Operation Cooperation (POSOCO).

On October 12, 2020, a grid failure in Mumbai resulted in a massive power outage, stopping trains on tracks, hampering those working from home amidst the COVID-19 pandemic and hitting the economic activity hard.

A Chinese government-linked group of hackers targeted India’s critical power grid system through malware, Recorded Future, a Massachusetts-based company, had said in its latest study. Recorded Future, which studies the use of the internet by state actors, in its recent report details the campaign conducted by a China-linked threat activity group RedEcho targeting the Indian power sector.

POSOCO is a government-owned subsidiary responsible for ensuring integrated operation of the power grid in a reliable, efficient, and secure manner.

As per assessment done by power ministry officials, there was no impact of the cyber threat from the Chinese company Red Echo. “There is no impact on any of the functionalities carried out by POSOCO due to the referred threat. No data breach or data loss has been detected due to these incidents,” Ministry officials said.

The ministry concluded after its enquiry that the threat was averted because of timely action by various agencies. “Prompt actions are being taken by the CISOs at all these control centres under operation by POSOCO for any incident/advisory received from various agencies like CERT-in, NCIIPC, (National Critical Information Infrastructure Protection Centre i) CERT-Trans etc,” officials said.

Soon afterwards, action was taken to address these threats. NCIIPC informed the ministry through a mail dated February 21 about the threat by Red Echo through a malware called Shadow Pad.

The email read, “Chinese state-sponsored threat Actor group known as Red Echo is targeting Indian Power sector’s Regional Load Dispatch Centres (RLDCs) along with State Load Dispatch Centres (SLDCs). “

Ministry officials said the same threat has been mentioned in a report by New York Times. Officials said the alert also mentioned Some IP addresses and domain names.

“The report of Insikt also refers to the threat actors already informed by CERT-in & NCIIPC. All IPs and domains listed in NCIIPC mail have been blocked in the firewall at all control centres. Log of firewall is being monitored for any connection attempt towards the listed IPs and domains. Additionally, all systems in control centres were scanned and cleaned by antivirus,” officials said.

The Ministry officials said that observations from all RLDCs and NLDC shows that there is no communication and data transfer taking place to the IPs mentioned. It added that a system of monitoring and analysis of cyber activities is already in place at all RLDCs and NLDCs operated by POSOCO.

The massive power outage in Mumbai in October last year was caused by a cyberattack” and it was an act of “sabotage, Maharashtra Energy Minister Nitin Raut said on Monday, citing preliminary information. Interacting with media persons, Raut said the state government, the Maharashtra Electricity Regulatory Commission (MERC) and the Central Electricity Authority had set up separate committees to probe the cause of the power outage and their reports have been received. We had then complained to the cyber cell and their report is awaited. But the preliminary information I have, there definitely was a cyber attack and it was sabotage, he said.

The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. Data sources include the Recorded Future Platform, SecurityTrails, Spur, Farsight and common open-source tools and techniques, the report said.

In response to the allegation, Chinese Foreign Ministry spokesman Wang Wenbin on Monday rejected the criticism about China’s involvement in the hacking of India’s power grid, saying it is irresponsible and ill-intentioned to make allegations without proof.

Spokesperson of the Chinese Embassy in India tweeted: “As a staunch defender of cybersecurity, China firmly opposes and cracks down on all forms of cyberattacks. Speculation and fabrication have no role to play in the issue of cyberattacks. Highly irresponsible to accuse a particular party with no sufficient evidence around.”

On October 12, a grid failure in Mumbai resulted in massive power outages, stopping trains on tracks, hampering those working from home amidst the COVID-19 pandemic and hitting the stuttering economic activity hard.

It took two hours for the power supply to resume for essential services, prompting Chief Minister Uddhav Thackeray to order an enquiry into the incident. In its report, Recorded Future notified the appropriate Indian government departments prior to publication of the suspected intrusions to support incident response and remediation investigations within the impacted organisations.