Exclusive | Chinese hackers will continue to target Indian organisations, says Recorded Future

Almost a month after Recorded Future reported attacks on the Indian power infrastructure by Chinese hackers, a top official of the cybersecurity major told Moneycontrol that China-linked hacker groups will continue to target Indian organisations. Other than RedEcho that hit the power sector, groups like APT41/Barium had targeted Indian oil and gas assets, too.

In an exclusive interview with Moneycontrol, Jonathan Condra, Head of Nation State Research, Recorded Future, said the hacker groups’ intent would be to support potential disruptive cyber operations against critical infrastructure, especially if hostilities escalate between the militaries of India and China. The groups will also try to sway Indian public opinion during a diplomatic confrontation, he said.

Condra said that RedEcho was active during March as well.

Temporary lull

“Following the publication of our report, we have seen much of the activity linked to RedEcho infrastructure and victim organisations cease, likely due to a combination of defensive actions and evasive measures taken by the group. Despite this, we believe RedEcho and other China-linked groups will continue to target Indian organisations,” he said.

“Assessing attacker intent is always challenging. However, the targeting of India’s regional and state load despatch centres, a power substation, and a coal-fired thermal power plant likely offers the attackers little in the way of economic espionage opportunities, but pose significant concerns of potential prepositioning of network access to support Chinese strategic objectives,” Condra said.

Assets targeted

The report had highlighted that other than 10 power sector assets, including state-run NTPC and Power System Operation Corporation Ltd (POSOCO), two ports, oil and gas assets and the Indian Railways were exposed to cyber attacks by RedEcho.

“We have not identified specific RedEcho victims within the railway sector to confirm the group’s targeting of this industry. However, many domains used by RedEcho are Indian Railways-themed, indicating a likely interest in targeting this sector,” he said.

He said that targeting of the oil and gas industry highlighted in the report was assessed to be linked to another Chinese state-sponsored group, known as APT41/Barium. “While we found some overlap between this group and the RedEcho campaign, we consider these to be two different China-linked groups,” Condra added.

Other than NTPC and POSOCO, the power sector assets that were under attack included NTPC Kudgisuper thermal power plant, load despatch centres in western, southern, north-eastern and eastern regions, Telangana State Load Despatch Centre, Delhi State Load Despatch Centre, Delhi Transco Ltd substation at Mundka, V O Chidambaranar port in Tamil Nadu and Mumbai Port Trust.

Mumbai power outage

A report submitted to the Maharashtra government by the state cyber department last month indicated that a malware attack was behind the massive grid failure that hit Mumbai and surrounding areas on October 12 last year.

When asked about this, Condra said: “At this time, Recorded Future has not seen technical evidence indicating that the Mumbai power outage occurred as a result of a cyber attack. The Maharashtra State Load Despatch Centre was not one of the victims specifically identified in relation to the RedEcho campaign.”

Recorded Future further emphasised the involvement of China in the targeting of Indian organisations. “We believe RedEcho to be a China-linked group due to a confluence of both non-technical and technical factors. From a technical perspective, the activity features strong technical overlaps with known Chinese state-sponsored groups, including the use of AXIOMATICASYMPTOTE infrastructure and ShadowPad malware, which we believe is unique to Chinese state-sponsored groups.

“Additionally, the targeting of these organisations offers limited economic espionage opportunities and their targeting most likely supports China’s national-level policy objectives,” he said. In addition, the targeting took place during a period of heightened diplomatic tensions and occasional violence along the India-China border.