Chinese malware may have targeted Indian power systems and seaports: U.S. firm

Cyber security report links malware attack to October 12 grid failure in Mumbai

March 01, 2021 01:54 pm | Updated March 02, 2021 07:44 am IST - Washington

People walk on railway track as trains were suspended after a major power failure in Mumbai on October 12, 2020.

People walk on railway track as trains were suspended after a major power failure in Mumbai on October 12, 2020.

Chinese state-sponsored actors may have deployed malware into Indian power grids and seaports as border tensions between India-China began escalating in May last, culminating in a deadly clash along the Line of Actual Control (LAC) in mid-June. The alleged cyber intrusion was discovered and revealed by U.S. cyber security and intelligence firm, Recorded Future, according to the New York Times, which broke the story. An October 12 grid failure in Mumbai may have been caused by the Chinese malware, as per the report.

Also read: Mumbai faces major power cut due to 'multiple tripping' of supply lines

The Massachusetts-based firm found that in the lead up to the clashes, they noticed an increase in malware targeting the government, defence organisations and the public sector. The Power Ministry confirmed that while attempts to breach systems were made, the power sector had not been impacted.

Recorded Future told The Hindu that there is still some evidence of ongoing intrusion although a significant amount of it has subsided recently.

“There is evidence that some of the intrusions remain ongoing; however, a significant proportion of the activity appeared to cease in early to mid-February following notification,” a spokesperson for Recorded Future, Caitlin Mattingly, told The Hindu via email on Monday.

‘Govt. was informed’

While the government has not contacted Recorded Future since the New York Times published its report, according to Ms. Mattingly, the company had been in touch with the government prior to the report’s publication.

Also read: ‘Mumbai cannot depend on Tata Power, AEML alone’

“We shared technical details of the intrusions with the Indian government that would allow them to identify and respond to the incidents. We are not an incident response firm and so do not directly typically investigate internal incidents in organisations,” Ms. Mattingly said when asked if Recorded Future is helping the government patch up the vulnerabilities, which it alerted the government to soon after it noticed them.

The intrusions, which began in May 2020 continued throughout the year.

The New York Time s' report quoted Recorded Future COO Stuart Solomon as saying the Chinese state-sponsored group (which the company calls ‘Red Echo’), “has been seen to systematically utilise advanced cyber intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”

Power stations, ports

Specifically, Recorded Future identified 21 IP addresses targeting 10 power organisations ( RLDCs and SLDCs — Regional Load Despatch Centres and their State counterparts) and two seaports: the V.O. Chidambaranar Port and Mumbai Port Trust. Other intrusions included a high voltage transmission substation and a coal-fired thermal power plant, as per Recorded Future.

The report links the malware attacks to a massive power outage in Mumbai and its suburbs last October which impacted hospitals, businesses, the stock market, homes and transport systems.

“Additionally, local media reporting previously linked an October 2020 power outage in Mumbai to the identification of malware at a Padgha-based State Load Despatch Centre. At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated. However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres,” the report says.

“ The intrusions in May 2020 onwards, which were China-linked but separate to the Red Echo activity highlighted in the report, were all reported to the Indian government shortly after discovery,” the spokesperson said. Both the U.S. and Indian authorities had been informed and acknowledged receipt of the information and stated they would investigate the findings, she added.

Irresponsible: Beijing

China’s Foreign Ministry strongly hit out at the report, calling it “irresponsible”, and attacked it for not offering evidence. "China firmly opposes and cracks down on all forms of cyber attacks,” spokesperson Wang Wenbin said.

“Speculation and fabrication have no role to play on the issue of cyber attacks, as it is very difficult to trace the origin of a cyber attack,” Mr Wang said.

He said it was “highly irresponsible to accuse a particular party when there is no sufficient evidence around,” adding that “China is firmly opposed to such irresponsible and ill-intentioned practice.”

A State Department spokesperson told The Hindu they were aware of the reports. 

“In general, we continue to have concerns about states' dangerous and coercive actions, including in cyberspace, and we reaffirm the importance of joint action on cybersecurity, critical infrastructure, and supply chain security,” the spokesperson said.

( With inputs from Ananth Krishnan )

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.