Chinese Cyber Exploitation in India’s Power Grid. On Feb. 28, 2021 The New York Times (NYT), based on analysis by a U.S. based private intelligence firm Recorded Future, reported that a Chinese entity penetrated India’s power grid at multiple load dispatch points. Chinese malware intruded into the control systems that manage electric supply across India, along with a high-voltage transmission substation and a coal-fired power plant.
2. On Feb. 28, 2021 The New York Times (NYT), based on analysis by a U.S. based private intelligence
firm Recorded Future, reported that a Chinese entity penetrated India’s power grid at multiple load
dispatch points. Chinese malware intruded into the control systems that manage electric supply
across India, along with a high-voltage transmission substation and a coal-fired power plant.
Alleged activity against critical Indian infrastructure installations was as much meant to act as a
deterrent against any Indian military thrust along the Line of Actual Control as it was to support
future operations to cripple India’s power generation and distribution systems in event of war.
Most of the malware was never activated.
The cyber security company had sent its findings to the Indian Computer Emergency Response
Team (CERT-In) within the Ministry of Electronics and Information Technology of the Government of
India.
Recorded Future’s chief operating officer, said that the Chinese state-sponsored group, which the
firm named Red Echo, “has been seen to systematically utilize advanced cyber intrusion techniques
to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and
transmission infrastructure.”
Introduction
3. ShadowPad
According to cyber security
firm FireEye, the targeting
makes use of a modular
backdoor called ShadowPad
that was originally connected
to state-sponsored groups
like APT41 or Barium. Over the
last couple of years, at least
five Chinese threat activity
groups have used ShadowPad.
4. What exactly is ShadowPad ?
ShadowPad extracts information about
the host, executes commands,
interacts with the file system and
registry, and deploys new modules to
extend functionality. CTU researchers
discovered that ShadowPad payloads
are deployed to a host either
encrypted within a DLL loader or
within a separate file alongside a DLL
loader. These DLL loaders decrypt and
execute ShadowPad in memory after
being sideloaded by a legitimate
executable vulnerable to DLL search
order hijacking.
6. GhostNet
China has been conducting cyber
operations against India for a long time. One
of the earlier examples was the GhostNet
episode. Between June 2008 and March
2009, the Information Warfare Monitor
conducted an investigation focused on
allegations of Chinese cyber espionage
against the Tibetan community.
GhostNet penetrated computer systems
containing sensitive and secret information
at the private offices of the Dalai Lama and
other Tibetan targets.
7. FriarFox
Proofpoint said the attackers targeted Tibetan organizations with spear-phishing emails that lured
members on websites where they'd be prompted to install a Flash update to view the site's content.
These websites contained code that separated users. Only Firefox users with an active Gmail session
were prompted to install the malicious add-on. In this particular campaign, which Proofpoint
codenamed FriarFox, attacks began in January 2021 and continued throughout February
Chinese state-sponsored hackers have been
consistently targeting Tibetan organizations
across the world. In a recent incidence, Chinese
hackers used a malicious Firefox add-on that was
configured to steal Gmail and Firefox browser
data and then download malware on infected
systems. Cybersecurity firm Proofpoint in
February 2021 discovered the attacks. It has been
linked to a group the company tracks under the
codename of TA413.
8. Sources said that the ministry received an email from the Indian Computer Emergency Response Team (CERT-
In) on November 19, 2020 on the threat of malware called Shadow Pad at some control centers of POSOCO.
Accordingly, the action was taken to address these threats.
The power ministry said that the National Critical Information Infrastructure Protection Centre (NCIIPC), which
oversees cyber security operations, had sounded an alert on February 12 about a Chinese state-sponsored
threat actor group known as Red Echo targeting regional load dispatch centers (RLDCs) and state load
dispatch centers (SLDCs).
The statement said, “NCIIPC informed through a mail dated 12th February 2021 about the threat by Red Echo
through a malware called Shadow Pad.”
After the ministry came to know about the threats, all IPs and domains listed in the NCIIPC
mail were blocked in the firewall at all control centers.
The sources in the ministry said, "Log of firewall is being monitored for any connection attempt towards the
listed IPs and domains. Additionally, all systems in control centers were scanned and cleaned by antivirus.”
Official Indian Response to the Incident
9. Steep rise in the attacks against many
companies in India’s power sector.
“10 distinct Indian power sector
organizations, including 4 or the 5
Regional Load Dispatch Centers
(RLDC)... have been identified as
targets in a concerted campaign
against India's critical
infrastructure,” said the report.
Chidambaranar and Mumbai ports
were also identified as targets.
11. Attack on Russia
As countries and businesses rely
on electricity, power grids can be
a prime target for signaling an
adversary's intent. Russia used
this tactic against Ukraine
several times by triggering
blackouts across the country.
The Russian attacks took place
amid an ongoing conflict
between Russia and Ukraine
centred primarily around control
of Crimea.
12. PROBLEM VS. SOLUTION
when do we realize that breach
has happened, does it have the
capacity to damage the system,
what is the resilience of the
system, how much time it takes
to plug the gap etc.
Solution
No cyber defense can be full-
proof. Attacks will come,
defenses would be breached. If
the Chinese hackers can breach
the Pentagon, it can happen in
India also.
Problem
13. Conclusion
No cyber defense can be full-proof.
Attacks will come, defenses would be
breached. If the Chinese hackers can
breach the Pentagon, it can happen in India
also. Points to be considered are: when do
we realize that breach has happened, does
it have the capacity to damage the system,
what is the resilience of the system, how
much time it takes to plug the gap etc.