China may have targeted power facilities across India last year in the middle of hostilities at the border, a new study says. A massive power outage in Mumbai in October, which stopped trains and shut down hospitals and the stock exchange for hours, may have been linked to these activities by a group of Chinese hackers, says the report that has been shared with the government.
The study shows that alongside the Ladakh tensions, which escalated in June with the clash at Galwan Valley in which 20 Indian soldiers died for the country, Chinese malware was flowing into systems that manage power supply across India.
In a statement, the Power Ministry confirmed it was aware of a major Chinese state operation to use malware to penetrate India’s power network. Prompt action had been taken and there was “no impact” on any of the facilities due to the “referred threat”, the ministry said. “No data breach/ data loss has been detected due to these incidents,” it said, but did not mention the Mumbai outage.
China-linked threat activity group RedEcho may have planted malware in key power plants in India, said the study first reported by New York Times. The links to the Mumbai power cut “provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres,” said the study that indicated some of the country’s most sensitive national infrastructure is vulnerable to systematic attacks from Chinese hackers using state of the art viruses that hack into systems.
The flow of malware was detected by Recorded Future, a US-based company that analyses online digital threats. It found that most of the malware was never activated. And because Recorded Future could not get inside India’s power systems, it could not examine the details of the code itself, which was placed in strategic power-distribution systems across the country.
Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organisations from Chinese state-sponsored groups, said the report.
“From mid-2020, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control servers, to target a large swathe of India’s power sector. 10 distinct Indian power sector organisations, including four of the five regional load dispatch centres responsible for the operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other targets identified include two Indian seaports,” the report said.
There was a “clear and consistent pattern of Indian organizations being targeted in this campaign through the behavioural profiling of network traffic to adversary infrastructure”, said Recorded Future.
A total of 21 IP addresses linked to 12 Indian organizations in the power generation and transmission sector – classified as critical — were targeted.
The report said media reports had previously linked the October 12 power outage in Mumbai to malware at a Padgha-based State Load Despatch Centre. “At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated. However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres,” said the report.
It took two hours for the power supply to resume, and Maharashtra Chief Minister Uddhav Thackeray ordered an enquiry into the reported grid failure.