Once again the Chinese and their various hacking groups have continued to target various critical infrastructure of India. Read on to know more…
One year after a systematic campaign targeting India’s critical infrastructure was exposed, China-linked adversaries have been blamed for an ongoing offensive against Indian power grid organizations.
According to Recorded Future’s Insikt Group, the majority of the attacks included a modular backdoor named ShadowPad, a sophisticated remote access trojan dubbed a “masterpiece of privately sold malware in Chinese espionage.”
The researchers said “ShadowPad continues to be employed by an ever-increasing number of People’s Liberation Army (PLA) and Ministry of State Security (MSS)-linked groups, with its origins linked to known MSS contractors first using the tool in their own operations and later likely acting as a digital quartermaster,”
Motive
The purpose of the ongoing campaign, according to the cybersecurity firm, is to make gathering intelligence on critical infrastructure systems easier in preparation for future contingency operations. Targeting is believed to have begun in September 2021.
The attacks targeted seven State Load Despatch Centres (SDLCs) located in Northern India, particularly those near the disputed India-China border in Ladakh, with one of the targets being victimised in a similar attack alleged to the RedEcho group in February 2021.
In the RedEcho attacks of 2021, ten different Indian power sector organisations were hacked, including six Regional and state Load Despatch Centres (RLDC), two ports, a nation power plant, and a substation.
Citing “notable distinctions” from the previously identified RedEcho TTPs, Recorded Future linked the latest set of malicious activities to an emerging threat cluster it’s tracking under the moniker Threat Activity Group 38 aka TAG-38 (similar to the UNC#### and DEV-#### designations given by Mandiant and Microsoft).
Additional Targets
In addition to attacking power grid assets, TAG-38 also targeted a national emergency response system and the Indian subsidiary of a multinational logistics company.
Despite the fact that the initial infection vector used to breach the networks is unclear, the ShadowPad malware on the host systems was commandeered by a network of infected internet-facing DVR/IP camera devices geolocated in Taiwan and South Korea
“The use of ShadowPad across Chinese activity groups continues to grow over time, with new clusters of activity regularly identified using the backdoor as well as continued adoption by previously tracked clusters,” the researchers said, adding it’s keeping an eye on at least ten different groups that have access to the malware.
Following the revelation, India’s Union Power Minister, R. K. Singh, described the intrusions as failed “probing attempts” at hacking that occurred in January and February, and said the government is continually reviewing its cybersecurity processes to strengthen defences.
China, for its part, reiterated that it “firmly opposes and combats all forms of cyber attacks” and that “cybersecurity is a common challenge facing all countries that should be jointly addressed through dialogue and cooperation.”
China’s Foreign Ministry spokesperson, Zhao Lijian, said “Recently, Chinese cybersecurity companies released a series of reports, revealing that the U.S. government launched cyber attacks on many countries around the world, including China, seriously jeopardizing the security of critical infrastructure of these countries,”
“It is worth noting that many of U.S. allies or countries with which it cooperates on cyber security are also victims of U.S. cyber attacks. We believe that the international community, especially China’s neighboring countries, will keep their eyes wide open and make their own judgment on the true intentions of the U.S. side.”