China-linked adversaries have been blamed for an ongoing attack on Indian power grid organizations, a year after a concerted campaign targeting critical infrastructure in the country came to light.
Most of the intrusions involved a modular backdoor called ShadowPad, according to Recorded Future’s Insikt Group, a sophisticated remote access Trojan that has been called a “masterpiece of private-sale malware in Chinese espionage.”
“ShadowPad continues to be used by a growing number of groups linked to the Popular Liberation Army (EPL) and the Ministry of State Security (MSS), with its origins linked to known MSS contractors who first use the tool on their own operations and then probably acting as a digital steward,” the researchers saying.
The goal of the sustained campaign, the cybersecurity company said, is to facilitate intelligence gathering related to critical infrastructure systems in preparation for future contingency operations. Orientation is believed to have started in September 2021.
The attacks targeted seven state-owned cargo clearance centers (SDLCs) located mainly in northern India, particularly those close to the disputed India-China border in Ladakh, with one of the targets being victim of a similar attack revealed in February 2021 and attributed to the RedEcho group.
The 2021 RedEcho attacks involved the compromise of 10 different organizations in the Indian energy sector, including six of the country’s state and regional load dispatch centers (RLDCs), two ports, a national power plant and a substation.
Recorded Future linked the latest set of malicious activities to a group of emerging threats it is tracking under the name Threat Activity Group 38, also known as TAG-38 (similar to UNC#### and DEV-#### designations given by Mandiant and Microsoft), citing “notable distinctions” from the previously identified RedEcho TTPs.
In addition to attacking power grid assets, TAG-38 hit a national emergency response system and the Indian subsidiary of a multinational logistics company.
Although the initial infection vector used to breach the networks is unknown, the ShadowPad malware on the host systems was commandeered through a network of infected DVR/IP camera devices with Internet access geolocated in Taiwan and South Korea.
“Use of ShadowPad in Chinese activity groups continues to grow over time, with new activity groups regularly identified using the backdoor, as well as continued adoption by previously tracked groups,” the researchers said, adding that it is monitoring at least 10 different groups with access to malware.
Following the disclosure, Union Energy Minister of India RK Singh characterized intrusions such as failed hacking “probing attempts” that occurred in January and February, and that the government is constantly reviewing its cybersecurity mechanisms to strengthen defenses.
China, for its part, reiterated that it “firmly opposes and combats all forms of cyberattacks” and that “cybersecurity is a common challenge faced by all countries that must be addressed jointly through dialogue and cooperation.”
“Recently, Chinese cybersecurity companies released a report seriesrevealing that the US government launched cyberattacks on many countries around the world, including China, seriously jeopardizing the security of critical infrastructure in these countries,” Chinese Foreign Ministry spokesman Zhao Lijian said. saying.
“It is worth noting that many of the US allies or countries with which it cooperates on cybersecurity are also victims of US cyberattacks. We believe that the international community, especially China’s neighbors, will uphold eyes wide open and they will make their own judgement. about the true intentions of the American side.