How an American online threat analysis firm tracked alleged Chinese hackers who targeted 12 important installations in India.
the story So Far: On 3 March, Maharashtra's electricity minister Nitin Raut announced that 14 Trojan horses were found in the servers of the Maharashtra State Electricity Broadcasting Company in a state cyber cell investigation. These Malavas had the ability to disrupt the power distribution in the state. The announcement was made in the wake of a report by Recorded Future, a US-based cybercity firm that targeted 10 critical nodes and two in India's electricity distribution system, a group linked to the Chinese government, called the ‘Red Echo'. was made. Harbour. Recorded Future claims that cyber infiltration from China began in May 2020 amid tension on the border. It has also been suggested that a massive power drain in Mumbai in October 2020 may be the reason. On Monday, the Ministry of Power said that Chinese hacker groups had targeted various Indian power stations, but these groups were cheated after being warned by government cyber agencies. Their activities. The ministry said the threat had “no data breach”.
How Recorded Future Track Malware Created in Indian System?
The recorded future was not directly visible in the servers of India's electricity system. Instead, it was found to have a large number of IP addresses associated with important Indian systems communicating for months. AXIOMATICASYMPTOTE Servers connected to the Red Echo. These servers had domains that were configured for those entities in the Indian power sector. For example, it had ‘ntpc-co'[.]com ‘domain, which spoils the root NTPC[.]CO[.]in. The AXIOMATICASYMPTOTE server serves as a command-and-control center for malware known as shadowpad.
Comment | Bridging gaps in India's cyber security
What is shadowpad
Shadowpad is a backdoor trojan malware, meaning that it opens a secret path from its target system to its command-and-control servers. The information given through this path can be extracted or more malicious code. Mr Raut said that “there was an attempt to insert or delete about 8 GB of data from the server.”
Security firm Kaspersky says Shadowpad is designed to target supply-chain infrastructure in areas such as transportation, telecommunications, energy and more. It was first identified in 2017, when it was found hidden in legitimate software manufactured by a company called NetSarang. Trojanized softwares, or softwares that have hidden threats, such as the name Trojan horse from Greek mythology, are the primary methods of delivery for Shadowpad.
How are shadowpads and red eco connected to China?
Kaspersky said that many of the techniques used in Shadowpad are also found in Vinti Group's malware, which has been “allegedly developed by Chinese-speaking actors”. Security analysis firm FireEye connects ShadowPad to a group called ‘APT41', which says that it overlaps with the Vindi group. Microsoft is tracking another group called ‘barium'. In September 2020, the US Department of Justice announced that a federal grand jury had sent “five computer hackers, all of whom were residents and citizens of the People's Republic of China (PRC), to more than 100 victim companies in the united states with computer intrusion “State and Foreign”. The US Department of Justice confirmed that these were intrusions that various security researchers were using to label various threats such as' APT41 ‘,' Barium ‘,' Vinti ‘,' Rogue panda ‘, and' rogue spider ‘. The Justice Department statement stated that “the defendants have also compromised foreign government computer networks in India and Vietnam”.
Read this also. Only 20% of Indians are not believing in their ability to prevent cyber attack
Security firm FireEye also “assesses with high confidence” that ‘APT41' “carries out Chinese state-sponsored espionage activity in addition to economically motivated activity outside state control”, that is, the group not only spies for the Chinese government Is, but also commits cyber crime when it suits them. The group is known to target the video-game industry.
Recorded Future notes in its report the large overlap in the systems used by Red Echo and ‘APT41 / Vinnati / Barium'. “Out of at least 3 [Red Echo] Targeted Indian IP addresses were first seen in a suspected APT41 / barium-linked campaign targeting Indian oil and gas fields in November 2020, ”it says.
Read this also. More than 2.9 lakh cyber security incidents related to digital banking in 2020, rajya Sabha reported
What were the goals of Red Echo?
Lists recorded future lists as suspected targets: Power System Operation Corporation Limited, NTPC Limited, NTPC Kudgi STPP, Western Regional Load Dispatch Center, Southern Regional Load Despatch Center, North Eastern Regional Load Dispatch Center, Eastern Regional Load Dispatch Center, Telangana State Load Dispatch List Center, Delhi State Load Dispatch Center, DTL Tikri Kalan (Mundka), Delhi Transco Limited (Substation), V. O. Chidambaranar Port and Mumbai Port Trust.
What is the purpose of Red Echo?
Recorded Future states that the kind of infrastructure that Red Echo seeks to access, such as the Regional Load Dispatch Center, has the least potential for espionage. However, it adds, “We assess that they express significant concerns over the possible prior status of network access to support Chinese strategic objectives.” Caution in cyber warfare means having malware assets in important places, which can be called when an actual attack occurs.