The Rashtrapati Bhawan – the official home of India's president – is illuminated at night. (Malhotraaman, CC BY-SA 4.0, via Wikimedia Commons)
A newly discovered threat group that researchers attributed to the Chinese government breached the power infrastructure in India, amid tensions along the two countries' borders.
Researchers say it's the first time a China-linked cyber actor has emerged as a significant threat against another nation's critical infrastructure.
Recorded Future's Insikt research team, which discovered the hackers, dubbed the group RedEcho. Researchers traced their hacking efforts against Indian energy assets back to mid-2020, around the same time that a squabble between China and India over the Himalayan border began to escalate. In June, India logged the first combat deaths between the two countries this century.
The choice of targets suggests RedEcho may be more interested in offensively positioning China for future conflict rather than engaging in the peace-time intellectual property theft that Chinese hackers are typically known for, said Jon Condra, Recorded Future's head of nation-state research, via email.
"The targeting of India’s regional and state load dispatch centers, a power substation, and a coal-fired thermal power plant likely offers the attackers little in the way of economic espionage opportunities, but pose significant concerns of potential prepositioning of network access to support Chinese strategic objectives," he said.
According to the Recorded Future report, more likely explanations include preparing for a kinetic attack, creating fodder for an information campaign, or signaling to the Indian government that it needs to back off.
Condra added: "Outside of traditional espionage, the targeting of the energy sector, and critical infrastructure more widely, has not been traditionally associated with Chinese cyber activity. This is the first instance we have encountered of a considerable threat posed against a nation's critical infrastructure from a China-linked activity group."
The conflict between China and India is still active. Following the May border clash in the Galwan Valley, India banned hundreds of Chinese apps. In the information security sphere, Recorded Future has logged a back and forth of traditional espionage hacking.
Inskit Group connected RedEcho to China through the use of the Chinese ShadowPad malware family, as well as shared infrastructure with the APT41 and Tonto groups, which are linked to China. However, the researchers did not find enough of a connection to conclude that RedEcho's activity is the work of an already known and established Chinese APT actor.
Researchers at Dragos confirmed the campaign, but would not comment on attribution.
There is no evidence RedEcho has targeted any critical infrastructure outside of India. But Condra said U.S. based chief information security officers need to be aware of China's shift in behavior, and begin threat hunting for this newly discovered group.
"Escalating tensions between major cyber powers is often coupled with increased interest in targeting critical infrastructure," he said.