China-Linked Hackers Target India’s Power Grid Amid Border Clashes

Over the course of the last year, hackers with suspected links to the Chinese government targeted a large portion of India’s power sector as the two countries engaged in border skirmishes that resulted in dozens of casualties, according to new research from Recorded Future.

Ten distinct power sector organizations, including four of the country’s five Regional Load Dispatch Centers, have been identified as likely targets. The centers play a key role in operating India’s power grid by balancing electricity supply and demand.

“It’s such broad targeting across India—when you plot out the physical locations of targets on a map, it amounts to a comprehensive targeting across the country’s whole energy sector,” said Levi Gundert, senior vice president of global intelligence at Recorded Future. “China and India are working on smoothing over the border disputes that plagued them over the last year, so it’s an inopportune time for India to find out that China has been targeting their energy sector.”

The attackers are also believed to have targeted a high-voltage transmission substation, a coal-fired thermal power plant, and two seaports, according to the report. Although analysts said the activity was likely espionage-related, Indian officials blamed a Mumbai power outage last year on a Chinese cyberattack allegedly targeting an electricity load-management center. The New York Times first reported the research and the potential connection to Mumbai’s power outage.

The targeting makes use of a modular backdoor called ShadowPad that was originally connected to the Chinese-linked hacking group ATP41, or Barium, according to cybersecurity firm FireEye. Over the last couple of years, at least five Chinese threat activity groups have used ShadowPad, including Tonto Team, KeyBoy, and Tick, suggesting that it is one of the latest capabilities being shared across Chinese state-sponsored groups for cyber espionage purposes.

Despite this overlap, as well as other shared infrastructure tactics, techniques, and procedures, Recorded Future researchers said there is not enough evidence to attribute the activity to an existing group such as APT41 or Tonto Team. Instead, researchers are tracking it as a closely related but distinct group that they’re calling RedEcho.

Although it’s impossible to know the attackers’ exact motivations, researchers said the targeting was likely for cyber espionage purposes, and could be pre-positioning for a variety of potential outcomes. It’s unlikely that the attackers are motivated by economic gain—such as stealing intellectual property or trade secrets.

“It’s not super beneficial from an economic perspective,” said Gundert. “They’re prepositioning—but for what? It could be signaling that they have capabilities while they’re in the middle of precarious conversations. It could be part of a larger influence operation. And there’s always the possibility that it could be a precursor to kinetic escalation… it gives them a lot of options depending on how the talks go.”

"They’re prepositioning—but for what? It could be signaling that they have capabilities while they’re in the middle of precarious conversations. It could be part of a larger influence operation. And there’s always the possibility that it could be a precursor to kinetic escalation."

— Levi Gundert, senior vice president of global intelligence at Recorded Future.

Tensions between China and India have escalated since May 2020, when troops from both countries engaged in a faceoff in the border area near eastern Ladakh and west Tibet. Subsequent skirmishes have broken out at other border areas, and in June the Indian government banned dozens of Chinese applications, including TikTok and WeChat. There have been several diplomatic and military talks between the two countries during the border tensions, but the conflict appears to be unresolved.

Gundert added that power grids can be a prime target for signaling because of how reliant countries and businesses are on electricity. Russia used this tactic against Ukraine several times by triggering blackouts across the country. Like the suspected Chinese targeting, the Russian attacks took place amid an ongoing conflict between Russia and Ukraine that is centered primarily around control of Crimea. If the Chinese-linked group is intending to send a signal with its activity, it likely will be heard not just by India.  

“Other countries in friction zones with China will ask themselves if they need to be wary and cautious,” said Gundert. “Perhaps Vietnam, the Philippines, Cambodia and others will have to [change their cyberdefenses].”