Chinese Hacker Group Targeting Indian Power Grid Assets

In February 2021, Future’s Insikt Group noticed and reported an intrusion activity that targeted operational assets belonging to India’s power grid. This intrusion activity was attributed to a Chinese-State Sponsored hacker group called “RedEcho”.

These hackers use the modular backdoor called “Shadowpad”. Shadowpad is associated with MSS (Ministry of State Security) linked groups. During the initial stages, MSS used Shadowpad for their own operations, and later they used it as a digital quartermaster.

These Hacker groups targeted nearly 7 Indian State Load Despatch Centers (SLDC). These SLDCs were used for real-time operations of grid control and dispatch of electricity within their respective states.

One of these SLDCs was located in North India, particularly near the India-China border. Another one was found to be previously targeted by RedEcho. However, the victims of intrusions tend to differ in every activity.

Along with this, these threat actors also compromised national emergency response systems and subsidiaries of a multinational logistics company.

This is done after compromising internet-facing DVR/IP camera devices for command and control of the Shadowpad. They also used an open-source tool called FastReverseProxy (FRP). This group has been named “TAG-38” (Threat Activity Group 38)

Key Points

The Specific and continuous targets of SLDCs denote that the State-sponsored hacking group is trying to maintain its access within India.

There is also a possibility that these attacks are conducted for gathering information related to critical infrastructure and its surroundings.

The gathered information can be used for future activities. Intrusive activities are related to the understanding of these complex systems which can increase their ability to gain sufficient access in the near future.

Image

Background

Image

The Chinese cyber espionage activity continues to increase in India. Many reports were previously reported like RedDelta, RedEcho, RedFoxtrot, TAG-28, and additional client-facing research. Further detailed analysis of this report is published by Recorded Future.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.