Chinese state-sponsored actors may have deployed malware into Indian power grids and seaports as border tensions between India-China began escalating in May last, culminating in a deadly clash along the Line of Actual Control (LAC) in mid-June. The alleged cyber intrusion was discovered and revealed by U.S. cyber security and intelligence firm, Recorded Future, according to the New York Times, which broke the story. An October 12 grid failure in Mumbai may have been caused by the Chinese malware, as per the report.
The Massachusetts-based firm found that in the lead up to the clashes, they noticed an increase in malware targeting the government, defence organisations and the public sector. The Power Ministry confirmed that while attempts to breach systems were made, the power sector had not been impacted.
Recorded Future told The Hindu that there is still some evidence of ongoing intrusion although a significant amount of it has subsided recently.
“There is evidence that some of the intrusions remain ongoing; however, a significant proportion of the activity appeared to cease in early to mid-February following notification,” a spokesperson for Recorded Future, Caitlin Mattingly, told The Hindu via email on Monday.
‘Govt. was informed’
While the government has not contacted Recorded Future since the New York Times published its report, according to Ms. Mattingly, the company had been in touch with the government prior to the report’s publication.
“We shared technical details of the intrusions with the Indian government that would allow them to identify and respond to the incidents. We are not an incident response firm and so do not directly typically investigate internal incidents in organisations,” Ms. Mattingly said when asked if Recorded Future is helping the government patch up the vulnerabilities, which it alerted the government to soon after it noticed them.
The intrusions, which began in May 2020 continued throughout the year.
The New York Time s' report quoted Recorded Future COO Stuart Solomon as saying the Chinese state-sponsored group (which the company calls ‘Red Echo’), “has been seen to systematically utilise advanced cyber intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”
Power stations, ports
Specifically, Recorded Future identified 21 IP addresses targeting 10 power organisations ( RLDCs and SLDCs — Regional Load Despatch Centres and their State counterparts) and two seaports: the V.O. Chidambaranar Port and Mumbai Port Trust. Other intrusions included a high voltage transmission substation and a coal-fired thermal power plant, as per Recorded Future.
The report links the malware attacks to a massive power outage in Mumbai and its suburbs last October which impacted hospitals, businesses, the stock market, homes and transport systems.
“Additionally, local media reporting previously linked an October 2020 power outage in Mumbai to the identification of malware at a Padgha-based State Load Despatch Centre. At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated. However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres,” the report says.
“ The intrusions in May 2020 onwards, which were China-linked but separate to the Red Echo activity highlighted in the report, were all reported to the Indian government shortly after discovery,” the spokesperson said. Both the U.S. and Indian authorities had been informed and acknowledged receipt of the information and stated they would investigate the findings, she added.
China’s Foreign Ministry strongly hit out at the report, calling it “irresponsible”, and attacked it for not offering evidence. "China firmly opposes and cracks down on all forms of cyber attacks,” spokesperson Wang Wenbin said.
“Speculation and fabrication have no role to play on the issue of cyber attacks, as it is very difficult to trace the origin of a cyber attack,” Mr Wang said.
He said it was “highly irresponsible to accuse a particular party when there is no sufficient evidence around,” adding that “China is firmly opposed to such irresponsible and ill-intentioned practice.”
A State Department spokesperson told The Hindu they were aware of the reports.
“In general, we continue to have concerns about states' dangerous and coercive actions, including in cyberspace, and we reaffirm the importance of joint action on cybersecurity, critical infrastructure, and supply chain security,” the spokesperson said.
( With inputs from Ananth Krishnan )