Indian power sector has been targeted by Chinese state-sponsored hackers in a long-term project, according to a new report by US-based cybersecurity company Recorded Future.
The Insikt Group, the threat research division of Recorded Future, said it has collected evidence over last several months that hackers targeted seven Indian state centers responsible for carrying out electrical dispatch and grid control near a border area disputed by the two nuclear neighbors.
The Chinese hackers primarily used the trojan ShadowPad, which is believed to have been developed by contractors for China's Ministry of State Security, leading to the conclusion that this was a state-sponsored hacking effort, according to the report.
Recorded Future reported, “ShadowPad continues to be employed by an ever–increasing number of People's Liberation Army and Ministry of State Security-linked groups, with its origins linked to known MSS contractors first using the tool in their own operations and later likely acting as a digital quartermaster."
China's Foreign Ministry spokesman Zhao Lijian said on Thursday the report had been “noted” by Beijing, but that China “firmly opposes and combats any form of cyberattacks, and will not encourage, support or condone any cyberattacks”.
He said, “I would like to advise the company concerned that if they really care about global cybersecurity, they should pay more attention to the cyberattacks by the U.S. government hackers on China and other countries, and do more to help promote dialogue and cooperation among countries, instead of using the cyberattack issue to stir up trouble and throw mud at China."
Indian External Affairs Ministry spokesperson Arindam Bagchi said India hasn't discussed the issue with China.
He said, "We have seen reports. There is a mechanism to safeguard our critical infrastructure to keep it resilient. We haven't raised this issue with China."
Indian Minister of Power R K Singh acknowledged the attacks. But he said the report was not a cause for concern. He said as per AP, “We are always prepared. We have a very robust security system. We are always alert.”
He was quoted as saying by PTI that China launched "probing cyber attacks" on Indian power grid in Ladakh thrice since December 2021 but did not succeed because safeguards were in place to thwart such intrusions.
He further said as per PTI, "Our defence against cyber attack is strong. These were probing attacks in December, January and February. They did not succeed. But we are aware.
"We had put protocols in place. Those protocols are working and we are strengthening those protocols every day. So, our cyber defence against cyber attack is strong. We are confident about that."
Insikt Group already detected and reported a suspected Chinese-sponsored hack of 10 Indian power sector organisations in February 2021 by a group known as RedEcho. The more recent hack “displays targeting and capability consistencies” with RedEcho, but there are also “notable distinctions” between the two, so the current group of hackers in the report has been given the working name of Threat Activity Group 38 - or TAG-38 - as more information is gathered.
Following a short lull after its first report, Recorded Future said the Insikt Group again started tracking hacking attempts on India's power grid organisations. Over the last several months, through late March, it identified likely network intrusions targeting at least seven of India's so-called “State Load Dispatch Centers” — all in proximity to the disputed border in Ladakh, where Chinese and Indian troops clashed in June 2020, leaving 20 Indian soldiers and four Chinese dead.
The report said, “Recorded Future continues to track Chinese state-sponsored activity groups targeting a wide variety of sectors globally — a large majority of this conforms to longstanding cyber espionage efforts, such as targeting of foreign governments, surveillance of dissident and minority groups, and economic espionage."
“However, the coordinated effort to target Indian power grid assets in recent years is notably distinct from our perspective and, given the continued heightened tension and border disputes between the two countries, we believe is a cause for concern."
Hackers are thought to have gained access through third-party devices connected to the internet, like IP cameras, which had been compromised, according to Recorded Future.
Investigators have not yet determined how they had been compromised, but Recorded Future suggested they may have originally been installed using default credentials, leaving them vulnerable.
Because the prolonged targeting of India's power grid “offers limited economic espionage or traditional intelligence-gathering opportunities”, Recorded Future said it seems more likely the goal is to enable information gathering around surrounding critical infrastructure systems or to be pre-positioned for future activity.
The company said, “The objective for intrusions may include gaining an increased understanding into these complex systems in order to facilitate capability development for future use or gaining sufficient access across the system in preparation for future contingency operations."
With PTI and AP inputs