China launched a cyber-campaign hit against India’s power grid targeting Mumbai on October 13 last year, in a warning message after the tension at Ladakh border.
The New York Times reported that a new study lends weight to the idea that those two events may have been connected – as part of a broad Chinese cyber campaign against India’s power grid, timed to send a message that if India pressed its claims too hard, the lights could go out across the country.
“The study shows that as the battles raged in the Himalayas, taking at least two dozen lives, Chinese malware was flowing into the control systems that manage electric supply across India, along with a high-voltage transmission substation and a coal-fired power plant”, NYT said.
The report said the flow of malware was pieced together by Recorded Future, a Somerville, Massachusetts, company that studies the use of the internet by state actors. It found that most of the malware was never activated.
“And because Recorded Future could not get inside India’s power systems, it could not examine the details of the code itself, which was placed in strategic power-distribution systems across the country. While it has notified Indian authorities, so far they are not reporting what they have found”, NYT said.
Stuart Solomon, Recorded Future’s chief operating officer, said that the Chinese state-sponsored group, which the firm named Red Echo, “has been seen to systematically utilize advanced cyber intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”
The discovery raises the question about whether an outage that struck on October 13 in Mumbai, one of the country’s busiest business hubs, was meant as a message from Beijing about what might happen if India pushed its border claims too vigorously, NYT said.
It added that news reports at the time quoted Indian officials as saying that the cause was a Chinese-origin cyber-attack on a nearby electricity load-management center. Authorities began a formal investigation, which is due to report in the coming weeks. Since then, Indian officials have gone silent about the Chinese code, whether it set off the Mumbai blackout and the evidence provided to them by Recorded Future that many elements of the nation’s electric grid were the target of a sophisticated Chinese hacking effort.
NYT said the investigators who wrote the Recorded Future study, which is set to be published Monday, said that “the alleged link between the outage and the discovery of the unspecified malware” in the system “remains unsubstantiated.” But they noted that “additional evidence suggested the coordinated targeting of the Indian load dispatch centers,” which balance the electrical demands across regions of the country.
“I think the signaling is being done” by China to indicate “that we can and we have the capability to do this in times of a crisis,” said retired Lt. Gen. D.S. Hooda, a cyber expert who oversaw India’s borders with Pakistan and China. “It’s like sending a warning to India that this capability exists with us”, NYT quoted.
In the Indian case, Recorded Future sent its findings to India’s Computer Emergency Response Team, or CERT-In, a kind of investigative and early-warning agency most nations maintain to keep track of threats to critical infrastructure. Twice the center has acknowledged receipt of the information, but said nothing about whether it, too, found the code in the electric grid, NYT said.
Repeated efforts by The New York Times to seek comment from the center and several of its officials over the past two weeks yielded no response.
In India, a patchwork of state-backed hackers were caught using coronavirus-themed phishing emails to target Chinese organizations in Wuhan last February. A Chinese security company, 360 Security Technology, accused state-backed Indian hackers of targeting hospitals and medical research organizations with phishing emails, in an espionage campaign.
Four months later, as tensions rose between the two countries on the border, Chinese hackers unleashed a swarm of 40,300 hacking attempts on India’s technology and banking infrastructure in just five days. Some of the incursions were so-called denial-of-service attacks that knocked these systems offline; others were phishing attacks, according to the police in Maharashtra, as per NYT.
Yashasvi Yadav, a police official in charge of Maharashtra’s cyber-intelligence unit, said authorities found “suspicious activity” that suggested the intervention of a state actor.
But Yadav declined to elaborate, saying the investigation’s full report would be released in early March. Nitin Raut, a state government minister quoted in local reports in November blaming sabotage for the Mumbai outage, did not respond to questions about the blackout, NYT reported.