A suspected Chinese state-sponsored activity group has been targeting India’s power sector as part of an cyber-espionage campaign, according to a report by threat intelligence firm Recorded Future Inc.
Recorded Future’s Insikt Group has detected “ongoing targeting of Indian power grid organisations by China-linked adversaries”.
In recent months, it has observed network intrusions targeting at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch.
Apart from the targeting of power grid assets, it has also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group, it said.
Threat Activity Group 38
The activity has been attributed to a temporary group, Threat Activity Group 38 (TAG-38). The group has been targeting these organisations by leveraging a malicious software called ShadowPad.
“ShadowPad continues to be employed by an ever-increasing number of People’s Liberation Army (PLA) and Ministry of State Security (MSS)-linked groups, with its origins linked to known MSS contractors first using the tool in their own operations and later likely acting as a digital quartermaster,” the report said.
According to the report, the targeting has been geographically concentrated, with the identified SLDCs located in North India, in proximity to the disputed India-China border in Ladakh.
One of these SLDCs was also targeted a previous campaign that Record Future had attributed to a group named RedEcho.
In February 2021, it had reported on intrusion activity targeting operational assets within India’s power grid that it had attributed to a likely Chinese state-sponsored threat activity group that it tracks as RedEcho. It had highlighted the compromise of 10 distinct Indian power sector organisations, including four of the five of the country’s Regional Load Despatch Centres (RLDC), two ports, a large generation operator, and other operational assets.
“This latest set of intrusions, however, is composed of an almost entirely different set of victim organisations,” it said.
“Given the continued targeting of State and Regional Load Despatch Centres in India over the past 18 months, first from RedEcho and now in this latest TAG-38 activity, this targeting is likely a long-term strategic priority for select Chinese state-sponsored threat actors active within India,” the report said.
“The prolonged targeting of Indian power grid assets by Chinese state-linked groups offers limited economic espionage or traditional intelligence-gathering opportunities. We believe this targeting is instead likely intended to enable information gathering surrounding critical infrastructure systems or is pre-positioning for future activity,” it said.
“The objective for intrusions may include gaining an increased understanding into these complex systems in order to facilitate capability development for future use or gaining sufficient access across the system in preparation for future contingency operations,” it further added.
Published on
April 07, 2022