The Union government has confirmed reports that Chinese hackers continue to target Indian power plants, especially those close to the Line of Actual Control (LAC) even as a U.S. based cyber security firm report claimed that Chinese State-sponsored actors have targeted seven power grid assets, the national emergency response system and an Indian subsidiary of a multinational logistics company since September 2021.
At least two attempts by Chinese hackers were made on electricity distribution centres near Ladakh but were not successful, Minister for Power R.K. Singh told reporters on Thursday . “We’ve already strengthened our defence system to counter such cyberattacks,” he said, without identifying whether the hackers identified had any links to the Chinese government.
MEA says no information at present
When asked about if the attacks that had been detected had been raised with China, Ministry of External Affairs (MEA) spokesperson Arindam Bagchi remarked that the MEA had no information at present, but expressed confidence that India’s “critical infrastructure has adequate safeguard mechanisms.”
Security firm Recorded Future said in a report released on April 6 that in recent months it had observed “likely network intrusions targeting at least 7 Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective States.”
It noted that the targeting had been geographically concentrated, with the identified SLDCs located in North India, in proximity to the India-China border in Ladakh. India and China have been engaged in a stand-off at multiple points along the undemarcated LAC in eastern Ladakh since April 2020.
The firm said it was temporarily clustering the activity of the group under the name Threat Activity Group-38 (TAG-38). “Since at least September 2021, we have observed TAG- 38 intrusions targeting the identified victim organizations. The group has employed probable compromised infrastructure for command and control of ShadowPad implants used to target the identified networks, as well as using the open source tool Fast Reverse Proxy (FRP).”
TAG-38 likely compromised and coopted Internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware and FRP.
Limited economic espionage
The report stressed that prolonged targeting of Indian power grid assets by Chinese State-linked groups offered limited economic espionage or traditional intelligence-gathering opportunities. “We believe this targeting is instead likely intended to enable information gathering surrounding critical infrastructure systems or is pre-positioning for future activity.The objective for intrusions may include gaining an increased understanding into these complex systems in order to facilitate capability development for future use or gaining sufficient access across the system in preparation for future contingency operations,” it explained.
This is not the first time, Recorded Feature has flagged such cyber intrusions. In March 2021, the Massachusetts-based firm found that in the lead up to the Galwan clashes on June 15, 2020, where 20 Indian soldiers were killed, they noticed an increase in malware targeting the government, defence organisations and the public sector. It said that the intrusions started by Red Echo, a Chinese State sponsored group, started in May 2020 and continued throughout the year. The Power Ministry had then confirmed that while attempts to breach systems were made, the power sector had not been impacted. On March 3, 2021, Maharashtra’s Power Minister Nitin Raut announced that a State Cyber Cell probe had found ‘‘14 Trojan horses in the servers’‘ of the Maharashtra State Electricity Transmission Company that had the potential to disrupt power distribution.
Oppose hacking: China
Reacting to the recent report by Recorded Future, China’s Foreign Ministry spokesperson Zhao Lijian said, “We have noted the relevant reports. As I repeated many times, we firmly oppose and crack down on all forms of hacking activities. We will never encourage, support or condone such activities.”
He stated that cyberspace had the feature that it was virtual and that there were many players, and in designating relevant cases, there should be enough evidence. “A lot of prudence is required in doing so. As is known to all, the U.S. is the empire of hacking. It has launched the most hacking activities in the world. I try to remind the relevant institution you mentioned, if it really cares about cybersecurity, it should pay more attention to the attacks launched by the U.S. against the Chinese companies and institutions. They should do more conducive that is to facilitate dialogue and cooperation among countries instead slinging mud at China.”