Home News Chinese Hacking Group “RedEcho” Targets Indian Power Sector

Chinese Hacking Group “RedEcho” Targets Indian Power Sector

Cybersecurity experts found Chinese hackers targeting multiple Indian organizations in the power sector, using common infrastructure tactics, techniques, and procedures (TTPs).

Cyber-Security-Threat-to-National-Power-Grids, Recorded Future

Relations between India and China have worsened after troops from both sides engaged in a skirmish in May 2020. While diplomacy factors have thwarted a direct war, cyber espionage operations from state-sponsored attackers continue to disrupt organizations in India. Cybersecurity experts recently uncovered a Chinese hacking group’s cyber campaign targeting India’s power grid and transmission sector.

Related News:

China Attempts Cyber War on India; Over 40,000 Cyberattacks in 5 Days

Research from security firm Recorded Future found a China-linked threat actors group dubbed RedEcho, targeting 12 Indian organizations, 10 of which are in the power sector. Recorded Future’s threat research team Insikt Group uncovered a subset of the servers that share some common tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups.

 Key Findings

  • The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.
  • Pre-positioning on energy assets may support several potential outcomes, including geostrategic signaling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation.
  • RedEcho has strong infrastructure and victimology overlaps with Chinese groups APT41/Barium and Tonto Team, while ShadowPad is used by at least 5 distinct Chinese groups.
  • The high concentration of IPs resolving to Indian critical infrastructure entities communicating over several months with a distinct subset of AXIOMATICASYMPTOTE servers used by RedEcho indicates a targeted campaign, with little evidence of wider targeting in Recorded Future’s network telemetry.

“We’ve determined that a subset of these AXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups, including APT41 and Tonto Team. Despite some overlaps with previous groups, Insikt Group does not currently believe there is enough evidence to firmly attribute the activity in this particular campaign to an existing public group and therefore continue to track it as a closely related but distinct activity group, RedEcho,” Recorded Future said.

Update on March 2, 2021

Mumbai Power Outage a “Cyber Sabotage” Attempt: Minister

The latest security incident raises doubts about a possible connection to a power blackout that crippled the financial capital of India – Mumbai – in October last year. At first, it was considered to be a technical failure at a power sub-station; however, later reports suggested that this could well have been an effect of a cyberattack on the power grid. The Maharashtra Cyber Cell department was summoned by the state’s Minister of Energy and Home Minister to carry out a thorough investigation into the possibilities of a cyberattack and asked to submit a subsequent report.

Related News:

Did a Cyberattack Cause Power Outage in India’s Financial Capital?

Yesterday, on March 1, 2021, a preliminary report of the investigations was submitted to Maharashtra’s Home Minister, Anil Deshmukh, and Energy Minister, Nitin Raut. Based on the findings in the report presented to them, Deshmukh in a press conference said,

An analysis of the Supervisory Control and Data Acquisition System (SCADA) has shown that there is a possibility that this incident was a cyber sabotage. 

Deshmukh also said that the preliminary report from the Cyber Crime Cell has noted three possible ways in which the sabotage was attempted:

  • Malware attack on one of the MSEB servers.
  • Transfer of 8GB unaccounted data from a foreign server to an MSEB server.
  • An attempt by several blacklisted IP addresses to log into MSEB server.