Chinese hacking groups continue to target Indian power grid assets

China-linked opponents have been credited with an ongoing attack on Indian power grid organizations, a year after a concerted campaign targeting critical infrastructure in the country came to light.

Most of the attacks, according to Recorded Future’s Insikt Group, involved a modular backdoor called ShadowPad, a sophisticated remote-access Trojan that has been described as a “masterpiece of privately-sold malware in Chinese espionage.”

“ShadowPad continues to be used by an ever-growing number of groups associated with the People’s Liberation Army (PLA) and the Ministry of State Security (MSS), with its origins being linked to well-known MSS contractors who first used the tool in their own operations and later probably use it to act as a digital quartermaster,” the researchers said.

Internet security

The goal of the ongoing campaign, the cybersecurity firm said, is to make it easier to gather information about critical infrastructure systems in preparation for future emergency operations. Targeting is believed to have started in September 2021.

The attacks targeted seven State Load Dispatch Centers (SDLCs) located primarily in northern India, particularly near the disputed India-China border in Ladakh, with one of the targets killed in a similar attack that took place in February 2021 disclosed and attributed to the RedEcho group.

The 2021 RedEcho attacks involved compromising 10 different Indian energy sector organizations, including six of the country’s regional and state load distribution centers (RLDCs), two ports, a national power plant and a substation.

Recorded Future linked the latest malicious activity to a new threat cluster it tracks under the nickname Threat Activity Group 38, also known as TAG-38 (similar to Mandiant’s and Microsoft’s UNC#### and DEV-#### designations ). , citing “notable differences” from the previously identified RedEcho TTPs.

In addition to attacking power grid assets, TAG-38 also affected a national emergency call system and the Indian subsidiary of a multinational logistics company.

Although the initial infection vector used to penetrate the networks is unknown, the ShadowPad malware was seized on the host systems using a network of infected, internet-connected DVR/IP camera devices located in Taiwan and South Korea.

“ShadowPad usage in Chinese activity groups continues to grow over time, with new activity clusters regularly being identified via the backdoor and takeover by previously tracked clusters continuing,” the researchers said, adding that at least 10 different groups with access to be monitored for malware.

Internet security

Following the disclosure, India’s Union Energy Minister RK Singh described the intruders as unsuccessful “probing” attempts at hacking that took place in January and February and that the government is constantly reviewing its cybersecurity mechanisms to strengthen defenses.

For its part, China reiterated that it “firmly opposes and counters all forms of cyber-attacks” and that “cybersecurity is a common challenge for all countries that should be addressed together through dialogue and cooperation.”

“Recently, Chinese cybersecurity companies have released a series of reports showing that the US government has launched cyberattacks on many countries around the world, including China, seriously endangering the security of critical infrastructure in those countries,” the spokesman said of the Chinese Ministry of Foreign Affairs, Zhao Lijian. called.

“It is worth noting that many of the US allies or countries with which it cooperates on cybersecurity are also victims of US cyber attacks. We believe that the international community, especially China’s neighboring countries, will keep their eyes peeled and make their own judgment as to the real intentions of the US side.”

New Technology Era

Leave a Reply

Your email address will not be published. Required fields are marked *