China hackers targeted power grids near Ladakh, says report
Apr 08, 2022
NEW DELHI: Chinese hackers targeted power grids in north India over the last several months including in March this year, a US-based private cybersecurity firm has claimed. It said the seven targeted State Load Despatch Centres (SLDCs) were "in proximity to the disputed India-China border in Ladakh".
Using a family of malware called ShadowPad, these hackers targeted SLDCs in north Indian states, according to a report released by Recorded Future, a Massachusetts-based cyber security firm that describes itself as specialising in the collection, processing, analysis and dissemination of threat intelligence.
The hackers are backed by Chinese state entities, the report said, linking the use of the trojan ShadowPad and hacking groups to the People's Liberation Army and the Chinese Ministry of State Security.
It said the company had informed the Indian authorities before publication of the report.
"In recent months, we observed likely network intrusions targeting at least 7 Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states. Notably, this targeting has been geographically concentrated, with the identified SLDCs located in North India, in proximity to the disputed India-China border in Ladakh," the report said.
The report said the hackers, named by the firm as Threat Activity Group (TAG) 38, also targeted an emergency response force, and an Indian subsidiary of a multinational logistics company.
Although the report did not identify the targets, a blank map in the report pinpoints the locations of the attacks in the areas of Jammu, Punjab, Himachal Pradesh, Delhi and Haryana-Rajasthan.
(PTI adds: Speaking on the sidelines of a clean energy ministerial meet in the national capital, Power Minister R K Singh acknowledged attempts were made by China, but added India's defences against such intrusions were strong.
"Our defence against cyber attack is strong. These were probing attacks in December, January and February. They did not succeed. But we are aware," he said.
He also said action was taken way back in 2018 against suspected cyber attacks on the country's power supply system. "We had put protocols in place. Those protocols are working and we are strengthening those protocols every day. So, our cyber defence against cyber attack is strong. We are confident about that," Singh asserted.
Ministry of External Affairs spokesperson Arindam Bagchi said, "We have seen the reports. There is a mechanism in place so that our critical infrastructure remains resilient in such cases... We have systems in place to safeguard critical infrastructure... I don't have any information that we have raised the issue with China."
In Beijing, the Chinese government denied reports that its hackers targeted the Indian power grid in Ladakh. "We have noted the relevant reports," China's Foreign Ministry spokesman Zhao Lijian said at a media briefing. "As I repeated many times, we firmly oppose and crack down on all forms of hacking activities. We will never encourage, support or condone such activities," he said.)
In an earlier report in February this year, Recorded Futures had reported that another hacking group, RedEcho, had from mid-2020 onward targeted "10 distinct Indian power sector organizations, including 4 of the 5 Regional Load Despatch Centres (RLDC)" and two ports.
It named the grids as Delhi SLDC, DTL Tikri Kalan substation, the Western RLDC, NTPC's power plant at Kudgi in Karnataka, Southern RLDC, the Telangana SLDC, and the Eastern and the North Eastern RLDCs as well. The two ports were Mumbai Port and the VOC Port at Tuticorin in Tamil Nadu.
The new report says after a temporary lull following the disclosure of RedEcho's activities, the hackers were at it again, and likely carried out their attacks through co-opted and compromised internet facing DVR/IPR camera devices in Taiwan and South Korea. TAG-38 used these devices to command and control Shadowpad infections in the targets. They also used the open source Fast Reverse Proxy, according to the report.
The report assessed that the targeting was "intended to enable information gathering surrounding critical infrastructure systems or is pre-positioning for future activity".
It also mentioned other hacking activity, in which the targets included "an Indian managed service provider and operation technology vendor". It said this activity was by a group named TAG-26 which targeted multiple high-value organisations in India using ShadowPad, and other malware such as Poison Ivy, and RoyalRoad RTF.