Chinese hackers target power grid near Ladakh

Launching a cyber-espionage campaign against India, suspected state-sponsored Chinese hackers have targeted electricity distribution centres near Ladakh, a report by private intelligence firm Recorded Future Inc. has said.

Updated - April 07, 2022 10:33 pm IST

Published - April 07, 2022 07:52 pm IST

The Chinese government meanwhile has denied reports that its hackers targeted the Indian power grid in Ladakh. Image credit: Reuters

The Chinese government meanwhile has denied reports that its hackers targeted the Indian power grid in Ladakh. Image credit: Reuters | Photo Credit: KACPER PEMPEL

The report claimed that the hackers focused on at least seven “State Load Despatch Centres (SLDCs)” in northern India that are responsible for carrying out real-time operations for grid control and electricity dispatch in the areas they are located in, near disputed India-China border in Ladakh.

‘’In recent months, we observed likely network intrusions targeting at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states. Notably, this targeting has been geographically concentrated, with the identified SLDCs located in North India, in proximity to the disputed India-China border in Ladakh,” the report stated.

One of the load dispatch centres previously was the target of another hacking group called RedEcho, which “strong overlaps” with a hacking group that the U.S. has tied to the Chinese government.

“The prolonged targeting of Indian power grid assets by Chinese state-linked groups offers limited economic espionage or traditional intelligence gathering opportunities,” said the report, adding, “We believe this is instead likely intended to enable information gathering surrounding critical infrastructure and/or pre-positioning for future activity.” 

The cyber-attacks took place between August 2021 and March 2022, NDTV quoted sources as saying. The NDTV report further added that the investigation found the data passing in and out of the load despatch centres to the Chinese state-sponsored command and control servers spread across the world.

Recorded Future said, “In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group.”

The group said they alerted the government of their findings before publishing the report.

On April 7, the government confirmed that two attempts were made by Chinese hackers to disrupt electricity distribution centres near Ladakh however, the attacks were not successful.

“Two attempts by Chinese hackers were made to target electricity distribution centres near Ladakh but were not successful.We’ve already strengthened our defence system to counter such cyber attacks,” Power Minister R.K. Singh told news agency ANI on April 7.

The intelligence firm said that the Chinese hackers were trying to “gather information surrounding critical infrastructure systems or is pre-positioning for future activity”.

‘’Given the continued targeting of State and Regional Load Despatch Centres in India over the past 18 months, first from RedEcho and now in this latest TAG-38 activity, this targeting is likely a long-term strategic priority for select Chinese state-sponsored threat actors active within India,” it said.

‘’The objective for intrusions may include gaining an increased understanding into these complex systems in order to facilitate capability development for future use or gaining sufficient access across the system in preparation for future contingency operations,” Recorded Future said.

The hacking group, dubbed TAG-38, has used a kind of malicious software called ShadowPad, which was previously associated with China’s People’s Liberation Army and the Ministry of State Security, according to Recorded Future. Researchers didn’t identify the victims by name.

Jonathan Condra, a senior manager at the cyberthreat intelligence firm told Bloomberg that the method the attackers used to make the intrusions — compromised internet of things devices and cameras — was unusual. “The devices used to launch the intrusions were based in South Korea and Taiwan,” he said.

This comes as the latest flashpoint after a military standoff between the two countries in the region. In June 2020, tensions flared up after a high-altitude skirmish, which involved hand-to-hand combat between troops, in Ladakh’s Galwan Valley in the Himalayas.

In the deadly encounter, at least 20 Indian were killed. Since then, multiple rounds of talks have had limited success in de-escalating border tensions.

In March, India said there can be no normality in ties with China unless the troops amassed at the Line of Actual Control (LAC) are withdrawn.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.