An investigation by US cyber-security company Recorded Future has found a cyber-campaign by RedEcho, a threat activity group with links to China, targeted the Indian power sector.

The findings have sparked a strong response from the Chinese government and a series of claims in India.

Starting early last year, Recorded Future’s Insikt Group observed a large increase in suspected intrusion activity against Indian organisations from Chinese state-sponsored groups.

Then in May 2020, after months of increasing tension on the countries’ Himalayan border, clashes between the nations’ armed forces resulted in the first combat deaths in 45 years.

From mid-2020 onwards, Recorded Future noted a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector.

Ten organisations, including four regional load despatch centres responsible for operating the power grid, were identified as targets in a concerted campaign against India’s critical infrastructure. Two Indian seaports were also targeted.

The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. Data sources include the Recorded Future Platform, SecurityTrails, Spur, Farsight and common open-source tools and techniques, Recorded Future said.

Despite some overlaps with previous Chinese state-sponsored groups, such as APT41 and Tonto Team, the cyber security company believes there is insufficient evidence to firmly attribute the activity to an existing public group. It therefore continues to track the activity as a closely related, but distinct activity group, RedEcho.

The report did not say whether a day-long power blackout in Mumbai on 12 October was connected with the RedEcho activity. An investigation by Maharashtra state government’s Cyber Cell into the electricity outage found several instances of unaccounted data and suspicious login attempts into the Maharashtra Power Department infrastructure from foreign IP addresses blacklisted by international internet security companies, India media reported.

 In its conclusions, Boston-headquartered Recorded Future said targeting Indian critical infrastructure offers limited economic espionage opportunities, but could support Chinese strategic objectives.

“Pre-positioning on energy assets may support several potential outcomes, including geo-strategic signalling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation,” Recorded Future added.

The company said it notified the appropriate Indian government departments before publication of the report about the suspected intrusions to support responses and remediation within the impacted organisations.

China’s foreign ministry spokesman Wang Wenbin responded to Recorded Future’s report by saying: “As a staunch defender of cyber security, China firmly opposes and cracks down on all forms of cyber-attacks.

“Speculation and fabrication have no role to play on the issue of cyber-attacks, as it is very difficult to trace the origin of a cyber-attack. It is highly irresponsible to accuse a particular party when there is no sufficient evidence around. China is firmly opposed to such irresponsible and ill-intentioned practice,” he added.

Learn more about cybersecurity at PrivSec Global on 23 to 25 March. Click here.