China’s RedEcho accused of  targeting India's power grids

China’s RedEcho accused of targeting India’s power grids

RedEcho, an advanced persistent threat (APT) group from China, has attempted to infiltrate the systems behind India’s power grids, according to a threat analysis report from Recorded Future [PDF].

It appears that what triggered this attempt to gain a foothold in India’s critical power generation and transmission infrastructure, was a tense standoff at Pangong Tso lake in May 2020. However, the report by Recorded Future, a cybersecurity company specializing in threat intelligence, claims that RedEcho were on the prowl way before this time.

Incidents at the border

China and India have been locked in a territorial dispute for decades, over an ill-defined, disputed border between Ladakh and Aksai Chin. This de-facto boundary called the Line of Actual Control (LAC) sits in the Himalayan region. Because of snowcaps, rivers, and lakes along the frontier, the LAC can shift, and soldiers from both sides often find themselves face to face with each other, increasing the risk of a confrontation.

The most recent conflict at the border transpired in June 2020, barely a full month after the May skirmish. This time, Chinese and Indian soldiers clashed in Galwan, with China accusing India of crossing onto the Chinese side. A total of 63 casualties—20 troops from India and 43 from China—were reported. Both countries insisted that no bullets were exchanged. Instead, they engaged using, literally, sticks and stones (“rocks and clubs”, according to the BBC).

Incidents in cyberspace

Although Recorded Future had observed a lot of intrusion activity towards Indian organizations in the digital space before the clash, it gained momentum after the Indian and Chinese troops faced off in May.

“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations,” the report said. “The PlugX activity included the targeting of multiple Indian government, public sector, and defense organizations from at least May 2020.”

RedEcho is the latest APT group to target India via its energy sector using ShadowPad, a modular backdoor that has been in use since 2017. The company also noted in its report that ShadowPad is shared among other state-backed threat actor groups who are affiliated with both the Chinese Ministry of State Security (MSS) and the People’s Liberation Army (PLA). Some of these groups include APT41 (aka Barium, among others), Icefog, KeyBoy (aka Pirate Panda), Tick, and Tonto Team.

RedEcho allegedly penetrated a total of 12 organizations, including four of India’s five Regional Load Despatch Centres (RLDCs) and two State Load Despatch Centres (SLDCs). These organizations are responsible for ensuring the optimum scheduling and dispatching of electricity based on supply and demand across regions in India. According to Recorded Future, “The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.”

This isn’t the first time India’s critical infrastructure has been in the crosshairs. In November 2020, APT41 had set their sights on India’s oil and gas sectors. Media reports suggested that the October 2020 power outage in Mumbai and neighboring areas, which crippled train transportation, closed the stock exchange, and hampered those working from home amidst the pandemic, was sabotage. Some called the outage a “warning shot” from China.

“Profoundly disturbed”

Subrahmanyam Jaishankar, India’s foreign minister, described the relationship between India and China as “profoundly disturbed”. RedEcho is just one threat actor group that has entered the scene, but we can expect that they won’t be the last. And things might only get worse because of rising geopolitical tensions, not just between China and India but also between other countries that are currently in dispute.

Remember the December 2016 power grid attack against Ukraine by Russian hackers?

And to accentuate the likely reality that more attacks against critical infrastructures will happen in the future, Dragos Inc, a cybersecurity firm specializing in industrial cybersecurity, released its “2020 Year in Review” report in late February 2021 determining that threats against industrial control systems (ICSs) and operational technology (OT) have increased threefold.

It’s worth mentioning that not all attacks on critical infrastructure are backed by nation states though. And while this is true, the outcome is still the endangerment of lives. Take, for example, the attempted poisoning of a Florida city’s drinking water last month, which was likely an act of vandalism, but could have had the impact of a terrorist attack.