10 power assets, Mumbai, Tamil Nadu ports came under RedEcho cyberattack

Cyber attacks by RedEcho, the actor group with China links, on India’s power infrastructure have been more widespread than previously known and the intrusive infrastructure remains active even after military de-escalation in Ladakh’s Pangong area.

According to Christopher Ahlberg, CEO of Recorded Future, the Massachusetts-based enterprise security outfit that detected the intrusions, 10 Indian power sector assets and the Mumbai and Tamil Nadu’s VO Chidmabaranar ports came under attack.

The power assets that came under attack were Delhi state load despatch centre, DTL Tikri Kalan substation in Delhi; Mumbai Port Trust, western regional load despatch centre In Maharashtra, NTPC's Kudgi power plant and southern regional load despatch centre in Karnataka, VO Chidambarnar port in Tamil Nadu, Telengana load despatch centre, eastern regional load despatch centre in West Bengal load despatch centre and northeastern regional load despatch centre in Assam.

"Recorded Future observed through its network intelligence significant, high-volume, network traffic from Indian power sector assets to servers used by China-linked group RedEcho… The adversary infrastructure is still active and activity continues (even after Pangong pull-back announcement)," Ahlberg said in a presentation on the group’s findings on Thursday.

Charity Wright of Insikt, Recorded Future’s threat research group, said the location of targeted infrastructure covered the length and breadth of India’s geography as well as the demography.

A New York Times report had last Sunday blown the lid off on these intrusions, citing findings by Recorded Future. It raised doubt Chinese hackers may have caused the October 12 power outage in Mumbai as a warning against strong Indian pushback to PLA’s border transgressions in Ladakh.

On the power ministry’s statement that no installation was affected as safeguards were already in place, Wright said it showed the government responded to alerts. On power minister RK Singh blaming the Mumbai blackout on human error, Ahlberg said there was insufficient data to prove cyberattack caused the Mumbai blackout.

Targeting the Indian energy sector offers limited economic espionage opportunities. But the group believed “gathering future operational activity, pre-positioning destructive malware, as a warning/show of force during heightened bilateral tensions; and potential information operation to disturb Indian population” could be the possible objectives.

Ahlberg said RedEcho “has overlapping modus-operandi with several Chinese groups, including APT41 and Tonto Team,” the known cyber threat groups that take directions from established nation-states to carry out cyberattacks.

Wright said her group detected the intrusions using large-scale automated analytics and analysis. These included a combination of proactively identifying adversary infrastructure through server fingerprinting; identifying established sessions between the victim and adversary infrastructure through network traffic analysis; and enriching traffic analysis with proprietary data sources for victim identification.

This was the same methodology used to detect power sector intrusions in the European transmission control system, ENTSO-E.