Suspected Chinese hackers targeted India’s power grids near Ladakh, says report
US-based cyber security firm Recorded Future said a national emergency response system and a subsidiary of a multinational logistics company were also targeted.
Suspected state-sponsored Chinese hackers have targeted the power sector in India near Ladakh as part of a likely cyber-espionage campaign, said a report published by United States-based cyber security firm Recorded Future on Wednesday.
In its report, the firm said it found that at least seven load dispatch centres situated near the disputed India-China border were targeted. The load dispatch centres are “responsible for carrying out real-time operations for grid control and electricity dispatch”, it said.
The hackers also targeted an Indian national emergency response system and a subsidiary of a multinational logistics company, the report said.
The statement came amid tension between India and China following a border standoff eastern Ladakh’s Galwan Valley in June 2020. Twenty Indian soldiers were killed in a clash between the troops. China had put the number of casualties on its side at four.
After several rounds of talks, India and China had disengaged from Pangong Tso Lake in February and Gogra in August in eastern Ladakh.
In February last year too, Recorded Future had reported that China-linked group called RedEcho was targeting India’s power sector. The firm had first notified India about this breach on February 10, identifying 10 Indian power sector organisations and two ports as being targeted by RedEcho.
In its report on Wednesday, the firm said that they have not been able to gather technical evidence to attribute the latest activities to RedEcho. The report dubbed the new group as Threat Activity Group 38, or TAG-38.
It said that the targeting of load dispatch centres was likely a “long-term strategic priority” for Chinese state-sponsored threat actors that are active within India.
“The prolonged targeting of Indian power grid assets by Chinese state-linked groups offers limited economic espionage or traditional intelligence-gathering opportunities,” it said. “We believe this targeting is instead likely intended to enable information gathering surrounding critical infrastructure systems or is pre-positioning for future activity.”
The report said that the objective of these activities may be meant to understand the complex power sector’s system or to gain access to it for “future contingency operations”.
The group used a malware called ShadowPad, which was previously associated with China’s People’s Liberation Army and the Ministry of State Security, the report said.
It said that such activities that are meant to understand the inner working system of a unit include targeting the industrial control system. The firm, however, said that it has not found any evidence that the industrial control system of the power grids have been compromised.
An industrial control system is a collective term used to describe different types of control systems and measure equipment used to operate or automate industrial processes.
Given the targeting of the load dispatch centres first by RedEcho and now the TAG-38, the firm said it believes “this targeting is a strategic priority for these actors and is likely to continue”.