Explained | Red Echo, ShadowPad, and the targeting of India's power grid

How a U.S. online threat analysis firm tracked alleged Chinese hackers who targeted 12 vital installations in India.

March 07, 2021 01:00 am | Updated 12:02 pm IST

The story so far: On March 3, Maharashtra Power Minister Nitin Raut announced that a State Cyber Cell probe had found 14 Trojan horses in the servers of the Maharashtra State Electricity Transmission Company. These malwares had the potential to disrupt power distribution in the State. The announcement came in the wake of a report from Recorded Future, a U.S.-based cybersecurity firm, stating that a group linked to the Chinese government, which it called ‘Red Echo’, had targeted 10 vital nodes in India’s power distribution system and two seaports. Recorded Future claims the cyber intrusions from China began in May 2020 amid heightened tensions at the border. It also suggested that these malwares could be the cause of the massive power outage in Mumbai in October 2020 . On Monday, the Power Ministry said Chinese hacker groups had targeted various Indian power centres but these groups had been thwarted after government cyber agencies warned it about their activities. The Ministry said there had been “no data breach” from the threat.

How did Recorded Future track malware in Indian systems?

Recorded Future did not look directly into the servers of India’s power system. Instead, it found a large number of IP addresses linked to critical Indian systems communicating for months with AXIOMATICASYMPTOTE servers connected to Red Echo. These servers had domains spoofing those of Indian power sector entities configured to them. For example, it had an ‘ntpc-co[.]com’ domain, which spoofs the original ntpc[.]co[.]in . AXIOMATICASYMPTOTE servers act as command-and-control centres for a malware known as ShadowPad.

Comment | Patching the gaps in India’s cybersecurity

What is ShadowPad?

ShadowPad is a backdoor Trojan malware, which means it opens a secret path from its target system to its command-and-control servers. Information can be extracted or more malicious code delivered via this path. Mr. Raut had said that there was an attempt to “either insert or remove around 8 GB of data from the server”.

Security firm Kaspersky says ShadowPad is built to target supply-chain infrastructure in sectors like transportation, telecommunication, energy and more. It was first identified in 2017, when it was found hidden in a legitimate software produced by a company named NetSarang. Trojanised softwares, or softwares that have dangers hidden in them, like the eponymous Trojan horse from Greek mythology, are the primary mode of delivery for ShadowPad.

How are ShadowPad and Red Echo linked to China?

Kaspersky states that several techniques used in ShadowPad are also found in malware from Winnti group, “allegedly developed by Chinese-speaking actors”. Security analysis firm FireEye links ShadowPad to a group known as ‘APT41’, which it says overlaps with the Winnti group. Microsoft has been tracking another group under the name ‘Barium’. In September 2020, the U.S. Department of Justice announced that a federal grand jury had indicted “five computer hackers, all of whom were residents and nationals of the People’s Republic of China (PRC), with computer intrusions affecting over 100 victim companies in the United States and abroad”. The U.S. Department of Justice confirmed that these were the intrusions that various security researchers were tracking using different threat labels such as ‘APT41’, ‘Barium’, ‘Winnti’, ‘Wicked Panda’, and ‘Wicked Spider’. The Department of Justice statement said the “defendants also compromised foreign government computer networks in India and Vietnam”.

Also read |  Only 20% of Indians are not confident in their ability to prevent a cyber attack

Security firm FireEye also “assesses with high confidence” that ‘APT41’ “carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control”, i.e., the group not only spies for the Chinese government but also does cybercrime when it suits them. The group has been known to target the video-game industry.

Recorded Future in its report notes large overlaps in the systems used by Red Echo and ‘APT41/Winnti/Barium’. “At least 3 of the [Red Echo] targeted Indian IP addresses were previously seen in a suspected APT41/Barium-linked campaign targeting the Indian Oil and Gas sectors in November 2020,” it says.

Also read |  Over 2.9 lakh cyber security incidents related to digital banking reported in 2020, Rajya Sabha told

What were Red Echo’s targets?

Recorded Future lists these as suspected targets: Power System Operation Corporation Limited, NTPC Limited, NTPC Kudgi STPP, Western Regional Load Despatch Centre, Southern Regional Load Despatch Centre, North Eastern Regional Load Despatch Centre, Eastern Regional Load Despatch Centre, Telangana State Load Despatch Centre, Delhi State Load Despatch Centre, DTL Tikri Kalan (Mundka), Delhi Transco Ltd (substation), V. O . Chidambaranar Port and Mumbai Port Trust.

What is the objective of Red Echo?

Recorded Future says the kind of infrastructure sought to be accessed by Red Echo, such as Regional Load Despatch Centres, has minimal espionage possibilities. However, it adds, “we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.” Prepositioning in cyber warfare means to have malware assets in crucial places that can be called on when an actual attack is launched.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.