India Thwarted China’s Cyberattacks on Power Sector
A new report has stated that 21 IP addresses of 10 distinct Indian organizations in the power generation and transmission sector, and two organizations in the maritime sector, were targeted. (IANS photo)
SUMIT KUMAR SINGH/IANS
NEW DELHI – China carried out cyberattacks on Indian power and ports sectors when troops were engaged at the borders along the Line of Actual Control but there was “no impact” on critical infrastructure, sources in the power ministry said March 1.
A study, China-Linked group Red Echo targets the Indian power sector amid heightened border tensions, carried out by Recorded Future’s Insikt Group and released March 1 came to the conclusion that there were cyberattacks, but nothing happened to critical infrastructure.
The report stated that in total, 21 IP addresses resolving to 10 distinct Indian organizations in the power generation and transmission sector were targeted, with a further two organizations in the maritime sector. They were targeted through a malware called Shadow Pad.
All 12 organizations qualify as critical infrastructure, as per the Indian National Critical Information Infrastructure Protection Center definition.
“Within India’s power sector, Red Echo conducted suspected network intrusions targeting at least 4 out of the country’s 5 Regional Load Dispatch Centers (RLDCs), alongside 2 State Load Dispatch Centers (SLDCs),” the report stated. RLDCs and SLDCs are responsible for ensuring real-time integrated operation of India’s power grid through balancing electricity supply and demand to maintain a stable grid frequency.
The report also talks about the October 2020 power outage in Mumbai links to a malware attack at a Padgha-based State Load Dispatch Center. However, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated in the study.
Other Red Echo intrusions within the Indian power sector included the targeting of a high-voltage transmission substation and a coal-fired thermal power plant. “The targeting of these critical power assets offer limited economic espionage opportunities but pose significant concerns over potential pre-positioning of network access to support other Chinese strategic objectives,” the report stated.
Reacting to the report’s finding, power ministry sources said that a system of monitoring and analysis of cyber activities is already in place at all RLDCs & NLDC, operated by the Power System Operation Corporation (POSOCO).
Further, sources said that the ministry received an email from the Indian Computer Emergency Response Team (CERT-In) on November 19, 2020 on the threat of malware called Shadow Pad at some control centers of POSOCO. Accordingly, action has been taken to address these threats.
Subsequently, NCIIPC informed through a mail dated February 12, 2021 about the threat by Red Echo through a malware called Shadow Pad.
Sources in the ministry said the report of Insikt referring to the threat actors were already informed to them by CERT-in and NCIIPC.
After the ministry came to know about the threats, all IPs and domains listed in the NCIIPC mail were blocked in the firewall at all control centers.
“Log of firewall is being monitored for any connection attempt towards the listed IPs and domains. Additionally, all systems in control centers were scanned and cleaned by antivirus,” the sources in the ministry said.
The IPs mentioned in the Red Echo related advisory are matching with those given in Shadow pad.
“Observations from all RLDCs & NLDC shows that there is no communication and data transfer taking place to the IPs mentioned. There is no impact on any of the functionalities carried out by POSOCO due to the referred threat. No data breach/data loss has been detected due to these incidents,” the ministry had noted.
Prompt action is being taken by the chief information security officers at all these control centers under operation by POSOCO for any incident or advisory received from various agencies like CERT-in, NCIIPC, CERT-Trans and others.