One year after a systematic operation targeting key infrastructure in the country was revealed, China-linked enemies have been blamed for an ongoing offensive against Indian power grid groups.
According to Recorded Future's Insikt Group, the majority of the attacks included a modular backdoor called ShadowPad, a sophisticated remote access trojan branded a "masterpiece of privately sold malware in Chinese espionage."
"ShadowPad continues to be used by an increasing number of People's Liberation Army (PLA) and Ministry of State Security (MSS)-linked groups, with its origins, traced back to known MSS contractors first using the tool in their own operations and later likely acting as a digital quartermaster," the researchers wrote.
According to the cybersecurity firm, the purpose of the ongoing effort is to facilitate intelligence collecting pertaining to vital infrastructure systems in preparation for future contingency operations. The targeting is thought to have begun in September 2021.
The attacks targeted seven State Load Despatch Centres (SDLCs) largely in Northern India, particularly those near the disputed India-China border in Ladakh, with one of the targets previously targeted in a similar attack published in February 2021 and ascribed to the RedEcho organisation.
The 2021 RedEcho assaults compromised ten different Indian power sector entities, including six regional and state load despatch centres (RLDC), two ports, a national power plant, and a substation.
Recorded Future linked the latest set of malicious activities to an emerging threat cluster it's tracking under the moniker Threat Activity Group 38 aka TAG-38 (similar to Mandiant's and Microsoft's UNC#### and DEV-#### designations), citing "notable distinctions" from previously identified RedEcho TTPs.
TAG-38 not only targeted power grid assets, but also a national emergency response system and the Indian unit of a major logistics company.
Although the initial infection vector used to access the networks is unknown, the ShadowPad malware on the host systems was commandeered via a network of compromised internet-facing DVR/IP camera devices in Taiwan and South Korea.
"The use of ShadowPad across Chinese activity groups continues to grow over time, with new clusters of activity regularly identified using the backdoor as well as continued adoption by previously tracked clusters," the researchers said, adding that they're keeping an eye on at least ten distinct groups with access to the malware.
Following the disclosure, India's Union Power Minister R. K. Singh described the incursions as "failed probing attempts" at hacking that occurred in January and February, and stated that the government is constantly examining its cybersecurity systems to strengthen defences.
China, for its part, emphasised that it "strongly opposes and combats all sorts of cyberattacks" and that "cybersecurity is a common concern confronting all countries that should be tackled collaboratively through conversation and cooperation."
"Recently, Chinese cybersecurity firms released a series of reports revealing that the US government launched cyberattacks on many countries around the world, including China, seriously jeopardising the security of these countries' critical infrastructure," said Zhao Lijian, a spokesperson for China's Foreign Ministry.
"It is worth noting that many of the United States' friends or countries with which it works on cyber security are also targets of US cyber-attacks. We hope that the international community, particularly China's neighbours, will keep their eyes peeled and form their own opinions about the genuine objectives of the US side."
Please do not enter any spam link in the comment box.