Chinese state sponsored groups were prepositioning cyberattacks for strategic objectives against Indian infrastructure assets, installations and networks at the height of Sino-Indian border tensions last year. The US cybersecurity company, Recorded Future has made detailed revelations about the modus operandi that the Chinese had undertaken for cyber assaults specifically against the Indian Power sector. The findings have been shared with the Indian agencies.
Recorded Future based in Massachusetts, US specializes in the collection, processing, analysis, and dissemination of threat intelligence. It uses patented machine learning and natural language processing methods to continuously collect and organize data from open web, dark web, and technical sources. The resulting information is displayed within a software-as-a-service portal. And it is this company which has released a detailed report on suspected Chinese intrusions.
From mid-2020 onwards, Recorded Future tracked a steep rise in the use of infrastructure tracked as Axiomaticasymptote, which included ShadowPad Command and Control (C2) Servers, to target a large swathe of India’s power sector. Axiomaticasymptote is a term Recorded Future uses to track network infrastructure that comprises ShadowPad C2 servers infections. The firm has termed this attacker group as RedEcho and says it has overlaps with other Chinese attacker groups in infrastructure and victimology. ShadowPad is used by atleast five distinct Chinese groups.
RedEcho’s targets have been identified as ten Indian power sector organizations, including four of the five Regional Load Despatch Centres (RLDCs) responsible for the operation of electricity transmission grid. Other targets identified included two Indian seaports.
The cybersecurity firm found that a subset of the Axiomaticasymptote servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups. They made heavy use of Axiomaticasymptote servers which is shared between several Chinese threat activity groups, including APT41/Barium, Tonto Team, the Icefog cluster, KeyBoy, and Tick. Many of these groups are affiliated to Chinese Ministry of State Security (MSS) and People’s Liberation Army (PLA).
The report reveals it was a high concentration, heavy built campaign targeted at Indian critical infrastructure not with the intent of economic espionage but for strategic objectives. Read the complete details in our cover story – what were the domain names, where were they registered and hosted, the strategies for making the attack successful, high concentration of IPs, the distinct servers used and much more.
