China targeted at least seven Indian State Load Dispatch Centres (SLDCs) in North India in a massive cyber-espionage operation using cameras and DVRs, claimed US-based cyber security group Recorded Future. The State Load Dispatch Centre is the apex body which ensures integrated operation of the power system in several parts of the country

A US-based cyber security group claimed that in a massive cyber-espionage operation, the Chinese government-linked cyber groups targeted at least seven Indian State Load Dispatch Centres (SLDCs) in northern India. These centres are responsible for carrying out real-time operations for grid control and electricity dispatch in northern India, US-based group Recorded Future said.

The researchers noted that the targeting was geographically concentrated in North India, “in proximity to the disputed India-China border in Ladakh,” although it did not identify the precise locations.

A map of targeted power infrastructure released by the group illustrated rough locations concentrated in northern India.

Shadowpad -- one of the backdoor tools used in the operation -- is known to have originated from the contractors of the Chinese Ministry of State Security (MSS).

The backdoor tool is also closely associated with China’s People’s Liberation Army (PLA).

Incidentally, these backdoor operations took place after the border disengagement between Indian and Chinese armed forces started in February 2021.

What The Report Says

A detailed report published by the security firm notes that the attack was likely an operation to make backdoor entries and collect information on India's power infrastructure for future operations. However, it did not mention any immediate incident of blackout.

"These assets offer minimal value as economic espionage or other traditional intelligence targets, which led us to assess a likely goal of pre-positioning network access to support Chinese strategic objectives", Recorded Future's threat research division, Insikt Group said.

According to the company statement, this group comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Although a previous version of attacks by another Chinese group was reported in February 2021, recent cyber-espionage operations have remained active for the past several months.

Based on available information, it is estimated that the resources deployed in the operations remained active from August 27, 2021, to March 15, 2022.

An Indian subsidiary of a multinational logistics company, and a national emergency response system were also targeted during these attacks.

The researchers did not identify technical evidence attributing the cyberattacks to the previously identified Chinese RedEcho group and hence, they categorised the latest activity under the temporary group name Threat Activity Group 38 (TAG-38).

Cameras And DVRs

In all likelihood, Internet Protocol (IP) cameras, often used in the Close-Circuit Televisions (CCTV) networks, and internet-operated Digital Video Recording (DVR) devices were compromised in the operation by the Chinese.

These third-party digital cameras and DVRs are often inadequately secured.

The researchers claim that the command-and-control infrastructure in the 'prolonged targeting' mostly consists of compromised internet-facing, third-party DVR and IP camera devices. All command-and-control servers associated with compromised DVR and IP cameras were primarily geolocated in Taiwan or South Korea.

Security experts advise the use of stronger measures, including monitoring outbound traffic to unusual servers while operating third-party IP cameras and DVR systems.

"Ensure software and firmware associated with IOT devices, such as DVR/IP camera systems, are kept up to date. Always change any default passwords to a strong, complex password and turn on two-factor authentication (2FA) if available. Where possible, avoid exposing these devices directly to the internet," Recorded Future said.

India-China Conflict

Tensions between India and China escalated after the Galwan valley clash in 2020. The eastern Ladakh border standoff between the Indian and Chinese militaries erupted on May 5, 2020, following a violent clash in the Pangong Tso Lake area.

Following the incident, both sides gradually enhanced their deployment by rushing in tens of thousands of soldiers as well as heavy weaponry, resulting in increased tensions at the friction points.

Several rounds of military-level talks were held to deescalate tensions between the two countries. Later, in February 2021, Defence Minister Rajnath Singh informed that sustained talks with China led to an agreement on disengagement on the north and south banks of the Pangong Lake.

On March 25 this year, National Security Adviser Ajit Doval and Chinese Foreign Minister Wang Yi discussed the possibility of complete disengagement of Indian and Chinese troops along the borders between the two nations.

'China Cyberattack On India'

A study suggested that the Mumbai power outage in 2022, which was said to be the worst power failure in decades, may have its links to the India and China border tensions. The report said that the mega Mumbai power outage may be the result of a cyber attack from China in an attempt to give a sign to India not to press too hard.

The report cited by The New York Times claimed that when the Indians and Chinese soldiers were having a faceoff at the border, the malware was being injected into the control systems that are responsible for electric supply across India. Notably, this was not the first report that hinted at China's cyberattack that led to the Mumbai power outage.