Chinese Cyber Attacks Against India — How Plausible and Formidable?

If one were to be politically incorrect, they’d say that Chinese foreign policy has typically three phases, following each other in the same order in case the previous fails: diplomatic camouflage, espionage and sabotage!

But let’s not dwell on incorrectness and move on to facts. This Sunday, a report in the New York Times broke the story that a group of Chinese hackers may have targeted Indian power grids and seaports in response to the ongoing border tensions between the two countries.

The report was based on the findings and intelligence gathered by a firm called Recorded Future, which suggests that the city-wide grid failure in Mumbai that occurred on October 12th 2020 may have been the result of a Chinese malware.

Yet another US firm called Cyfirma claims that a Chinese-affiliated group of hackers also targeted the systems of two major vaccine makers — Serum Institute of India (SII) and Bharat Biotech.

Read on to find out how these hacks were operated and with what intent.

The “Red” Echoes of Chinese Cyber Attack

Recorded Future is a Massachusetts-based US cyber security and intelligence firm. It identifies a group called RedEcho (name given by Recorded Future), which organised this cyberattack campaign. RedEcho is a Chinese state-sponsored group which has been reportedly trying to enlarge its presence across at least a dozen different critical points in India’s power-related infrastructure.

The report from Recorded Future identifies 21 IP addresses targeting 10 different power organisations and two ports — including NTPC, five regional load dispatch centres or RLDCs (which help in the management of national power grid by optimising electricity supply and demand), their state counterparts and the ports of Mumbai and Tuticorin. All 12 organisations are part of the country’s critical infrastructure.

Out of the above, at least three IP addresses were previously noticed in a suspected APT41/Barium-linked campaign which targeted Indian oil and gas sectors in November 2020.

FYI: APT41 (aka Barium, Wicked Panda, Wicked Spider, Winnit) is a notorious cyberthreat group that intruded into the networks of at least 100 different companies in the USA. Its members have faced multiple indictments by the US Department of Justice.

Interesting fact: They used to hide malware inside fake resumes that were sent to targets!

The report points at the use of ShadowPad command and control servers for targeting the power infrastructure of India. ShadowPad is a malware that is predominantly used in supply chain attacks (like the ones witnessed in the SolarWinds Hack in December 2020!). They hide inside legitimate software and install malicious codes or steal data from their host once activated.

In case of the SII/Bharat Biotech attacks, the perpetrators are believed to be a group called APT10 (aka Stone Panda) which is reportedly targeting gaps in the supply chain softwares of both organisations to steal vaccine data.

How Substantial Is the Proof?

The investigators say “the alleged link between the outage and discovery of the unspecified malware in the system remains unsubstantiated”. What this means is that although the operational signature of these power grid attacks are highly indicative of the RedEcho group, it is not definitive.

There is, however, other evidence. Since May 2020, when the tensions across the border owing to the Galwan Valley standoff escalated, there has been a considerable increase in the influx of the PlugX malware into multiple government, public sector and defence organisation networks in India. Even though PlugX is not characteristic of Chinese cyber espionage activity, it has been reported heavily for its use by China-nexus groups for many years.

Secondly, Indian administration launched a formal investigation in November 2020 into the Mumbai outage incident publicly stating that they suspect a cyberattack of Chinese origin. Yesterday, Maharashtra’s Home and Energy Ministers disclosed the findings of this investigation. They called it a case of “cyber sabotage” which was made possible because of three prime pieces of evidence: (a) malware attack on grid servers (b) transfer of 8GB unaccounted data from a foreign server to grid server (c)attempt by multiple blacklisted IP addresses to log onto the grid server.

Surprisingly, the administration has gone silent about its allegations involving China in the matter since then. In fact, earlier this evening, the Government ascribed the blame for these attacks on “human error” and not cyberattacks.

The Chinese government has denied the allegations.

How Compromised Are We?

Recorded Future says although they have pieced together remnants of the suspected malware, they couldn’t analyse the details of the codes because they couldn’t get inside India’s power systems. That is either mind-numbing naivete or a cautious exercise in plausible deniability. In any case, the report categorically fails to attribute liability on any particular group.

However, CERT-IN (Computer Emergency Response Team) had brought this to the knowledge of the Government in November 2020. The National Critical Information Infrastructure Protection Centre (NCIIPC), a suspected victim of the target itself, had also informed the Ministry of Power regarding the repeated malware invasion into Indian infrastructure. Even then, the Indian Government stated that no breach/data loss has been detected due to these attacks, with unparalleled stoicism.

Moreover, loss of important vaccine and research data from SII/Bharat Biotech is highly disadvantageous to the country’s vaccine-making infrastructure which prides itself on being the largest in the world in terms of capacity and output. Loss of intellectual property on that scale would be colossal. Substantiation of this report is even lower than the power grid attacks. However, the publishing firm Cyfirma is backed by Goldman Sachs and its report is corroborated by testimonies from many experts, including a few from the intelligence community.

How Prepared Are We?

This isn’t the first instance of Chinese cyberattacks on India.

What is clear is that the latest attacks are a form of cyber flexing by China which continues to be in a diplomatic deadlock with India after almost a year of the Galwan Valley incident in which at least 20 lives were lost in the first instance of combat deaths between the countries over the last 45 years.

Even though bilateral disengagement at the border continues (at a glacial pace), every now and then there are reports of troop escalation or conflict on both sides. In these situations, using cyber operations to disrupt critical infrastructure in the other country is perhaps the new standard of creating asymmetric power dynamics. This has been done many times by many countries, most notably by Russia which created power outages in Ukraine twice and filled American power grids with malicious codes repeatedly in the past.

There is also documented evidence of Indian state-sponsored groups targeting Chinese military and government entities in 2020, primarily through phishing attacks. However, the bottom line remains that fear of an attack is more instrumental than actually launching the attack, because it serves as an important element of diplomatic posturing that China needs, to roll over India in the border dispute talks.

(Originally published March 3rd 2021 in transfin.in)