Massachusetts based cybersecurity company – Recorded Future which studies use of internet by state actors published a study report stating that Chinese state sponsored cyber hacking groups have been seen methodically using advanced cyber intrusion techniques by a China linked threat activity group RedEcho to gain access into approximately a dozen critical points across the Indian power generation and transmission infrastructure.
As per the recorded future report – starting early 2020, Insikt Group started observing increase in suspected targeted intrusion activities against Indian power grids through malware named RedEcho by Chinese state sponsored cyber hacking groups. This has been observed using combination of automated network traffic analytics tools and expert analysis by recorded future. Data sources included common open-source tools and techniques, Recorded Future Platform, SecurityTrails, Spur, Farsight and others.
Mid-2020 onwards, Recorded Future’s midpoint collection observed an abrupt rise in use of infrastructure known as AXIOMATICASYMPTOTE, comprising of ShadowPad Command and Control (C2) Servers, which was being used to target India’s power grid systems. Interestingly, AXIOMATICASYMPTOTE servers share some of the common Tactics, Techniques, and Procedures (TTPs) with several other previously reported Chinese state sponsored cyber groups, including APT41 and Tonto Team, a group that has typically gone after energy sector and defence targets in East Asia. Tonto Team reportedly has its links with the Chinese People’s Liberation Army.
In the lead-up to the May 2020 border skirmishes, it was observed that an obvious increase in the provisioning of PlugX malware C2 infrastructure, most of which was subsequently used in the intrusion activity targeting Indian infrastructure. PlugX activity included targeting of multiple Indian government infrastructure, public sector and defence organisations networks from May 2020 onwards. While these are not unique to Chinese cyber espionage activities, PlugX has been heavily used by China linked cyber groups in last couple of years. Thereafter, throughout the remaining part of year 2020, Chinese state sponsored threat activity groups heavily focused on targeting of Indian government and private sector infrastructure.
Ten distinct Indian power grid systems, including four out of the five Regional Load Despatch Centres (RLDC), alongside two State Load Despatch Centres (SLDCs). RLDCs and SLDCs are responsible for ensuring the real time integrated operation of India’s power grid through balancing electricity supply and demand to maintain a stable grid frequency. These have been identified as being the likely targets in the concerted campaign against India’s critical infrastructure. Other targets that have been identified include two Indian seaports. Furthermore, report also raises questions about the possible connection between the skirmishes and a power blackout that crippled Mumbai in October 2020. However, assumed link between the outage and discovery of unspecified malware variant still remains unconfirmed. Organisations that are likely to be targeted are:
- Power System Operation Corporation Ltd
- NTPC Ltd
- NTPC Kudgi STPP
- Western Regional Load Despatch Centre
- Southern Regional Load Despatch Centre
- North Eastern Regional Load Despatch Centre
- Eastern Regional Load Despatch Centre
- Telangana State Load Despatch Centre
- Delhi State Load Despatch Centre
- DTL Tikri Kalan (Mundka) of Delhi Transco Ltd
- VO Chidambaranar Port
- Mumbai Port Trust
Among the victims subjected to cyberattacks include power plants run by National Thermal Power Corporation (NTPC) Limited and New Delhi based Power System Operation Corporation Limited. Pin pointing the intrusions onto a new group dubbed “RedEcho,” investigators from the cybersecurity firm’s Insikt Group said that the RedEcho malware deployed by the threat actor shares strong Tactics, techniques and Procedure (TTPs) overlaps with other Chinese groups APT41 (namely Barium, Winnti, or Wicked Panda) and Tonto Team, while ShadowPad is used by at least five distinct Chinese groups.
ShadowPad is a modular backdoor that was first revealed in Netsarang compromise in 2017 and this particular intrusion attack was later blamed on APT41 (BARIUM) by FireEye. Although ShadowPad was initially considered exclusive to APT41, since the end of year 2019, off late, it has been observed that more Chinese organizations have begun to use ShadowPad in network intrusion activities. It is estimated that sharing of ShadowPad is widespread in groups affiliated to the Ministry of National Security (MSS) and also amongst groups affiliated to the People’s Liberation Army (PLA) and is likely that there is a centralized ShadowPad developer responsible for maintaining and updating the tool.
These cyberattacks were described to be originating from Chengdu, which is also the base for network technology firm called Chengdu 404 Network Technology Company that operates as a front face for a decade long cyber hacking spree targeting more than 100 high-tech and online gaming companies.
Interesting, China as always has refuted reports stating that they have instigated cyber-attacks against India’s power grid systems resulting in massive power outages.
Outcome of these type of Cyber Attacks raises few serious questions about the security of the country’s strategic and critical infrastructures, especially in a city like Mumbai, giving indications whether it was a message from China of about what could happen if India is pushed more aggressively. These type of cyber-attacks are aimed to obtain a beachhead in Indian Infrastructures, probably for future attacks.
The Ministry of Power, Government of India in New Delhi on 01 March, 2021 said that there is no impact on Power System Operation Corporation (POSOCO) due to the Cyber threat. No data breach/ data loss had been detected due to these widespread cyber incidents on various power grid networks. Prompt actions had being taken by the CISOs at all these control centres under operation by POSOCO for any incident/advisory received from various agencies like CERT-in, NCIIPC, CERT-Trans etc. Sources also said that the Power Ministry had received an email from the CERT-In on 19 Nov, 2020 on the threat of malware called ShadowPad at some of the control centres of POSOCO. Accordingly, the action was taken to address these cyber threats.
The Power Ministry said that NCIIPC which oversees cyber security operations, had sounded an alert on 12 Feb, 2021 about a Chinese state-sponsored threat actor group known as RedEcho through modular backdoor ShadowPad targeting Regional Load Dispatch Centres (RLDCs) and State Load Dispatch Centres (SLDCs).
As per CERT-in and NCIIPC, all IP addresses and domains listed in NCIIPC mail have been blocked in the firewalls at all control centres. Logs of firewalls are being monitored extensively for any connection attempt towards the listed IP addresses and domains. Additionally, all systems in control centres were also scanned and cleaned by antivirus.
Though it is still unclear on the extent of this damage caused by these cyber-attacks. However, it is a known fact that almost in all the known cyberattacks on SCADA or Operational Technology (OT) networks, network intrusions always start in IT network and not OT network. Since many users assess IT network and assess it more frequently, IT network is more vulnerable than OT network. Additionally, IT network hosts many consumer applications like Internet browsers, email clients, etc. In this way, IT network’s intrusion is easier than OT network, wherein general applications and access are restricted. All SCADA systems connect to the enterprise IT systems to exchange operational data. Hence, once a hacker is able to enter the IT network, he has a good chance to find a way to OT network with persistent efforts.
Thorough Forensic analysis of every cyber breach is a must to find out any remaining traces. Crucial point should be to investigate for any network intrusion into the Operational Technology (OT) network through the IT network. Look for creation of any new and unknown user, privilege change of any existing user must also be analyzed. One should not forget that malwares can also be ported through a pen drive or shared drive to the air-gapped network. The classic example of Stuxnet cyber-attacks demonstrated the same.
Cyber threats issues are too serious to be left laissez-faire to the industry players alone and yet the government alone too cannot solve all these problems. Cyber security needs to be treated at par to resiliency requirements of any power grid business continuity planning. While there is no silver bullet or guarantee of 100% security to cyber-attacks, mandatory regulatory compliance are required that would establish a basic level of security standards across the entire power grid systems value chain. This combined with continuous internal network monitoring to cyber threats and a clearly defined incident response approach, collaborative information and data sharing within the industry and government agencies like CERT-In and CERT- Trans can go a long way in reducing the threats to risk exposure.
A national policy doctrine to address cyber security for national critical infrastructure and a regulatory framework that provides guidance to the industry players across Generation, Transmission and Distribution would be the first step to address the cyber security issues that the Indian Power sector faces.
Col. Inderjeet Singh Brar is an expert in encryption and block chain technology.
©️ The content of this Article is intellectual property of The 4th Estate and can not be used except with prior written consent of the Editor, The 4th Estate.
