India is on the radar of Chinese hackers for quite some time now!
According to a study conducted by U.S. based cybersecurity firm Recorded Future, since mid-2020, Chinese state-sponsored hacking groups invaded the computer networks of at least 12 Indian state-run organisations in an attempt to insert malware capable of causing widespread disruption in the country.
Among them, the primary organisations which were targeted are India’s largest power conglomerate – NTPC Limited, 5 key regional load dispatch centres which help manage the national power grip balance the electric supply and two ports.
All the 12 Chinese hacking group targeted organisation qualify under the definition of ‘critical infrastructure’ according to NCIIPC aka Indian National Critical Information Infrastructure Protection Centre.
Now, while one might think these cyber intrusions began after the Galwan Valley border standoff, the study states that these attacks started much before that incident.
The cybersecurity firm’s findings have shown that the alleged cyberattacks by the Chinese hacking groups, some linking to China’s main intelligence and security agency MSS aka Ministry of State Security, were not just limited to India’s power sector. Instead, it went well beyond that to target numerous government and defence organisations as well.
“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations. The PlugX activity included the targeting of multiple Indian government, public sector, and defence organizations from at least May 2020,” the report said.
The PlugX malware, in particular, has been one of the go-to tools of the China-nexus groups and has been heavily used throughout 2020. Recorded Future’s investigation found that a heavy focus on targetting Indian government bodies and private sector firms by multiple hacking groups which were Chinese state-sponsored.
Note here that the study whilst being unable to confirm if the malware insertion actually led to any disruptions, did point out that the massive power outage in Mumbai that took place on October 12, 2020, was indeed caused by malware inserted at a state load dispatch centre in Padgha.
Nitin Raut – the Maharastra power minister at that point in time said that the authorities suspect possible sabotage was the cause of the electricity outage. The two-hour outage led to the closure of the stock exchange along with the cancellation of trains and shutdown of offices across Mumbai, Navi Mumbai and Thane.
Recorded Future, in its report, stated that the alleged link between the outage and the discovery of the unspecified variant of malware currently remains unsubstantiated. But, that being said, the disclosure provides additional evidence which suggests the coordinated targeting of Indian Load Dispatch Centres.
According to the cybersecurity firm, the hacker group involved in the intrusions has been identified as Red Echo and said it had strong overlaps in terms of technology and victims with two other groups called APT41 or Barim and Tonto Team – both of which have been involved in similar cyber campaigns in the past.
All in all, the surfacing of this report calls for the immediate attention of the Indian cyber cell which must upgrade the security measures currently in implementation across GOI organisations. We will keep you updated on all future developments. Until then, stay tuned.