Recently , Maharashtra Power Minister announced that a State Cyber Cell probe had found 14 Trojan horses in the servers of the Maharashtra State Electricity Transmission Company. These malwares had the potential to disrupt power distribution in the State. The announcement came in the wake of a report from Recorded Future, a U.S.-based cybersecurity firm, stating that a group linked to the Chinese government, which it called ‘Red Echo’, had targeted 10 vital nodes in India’s power distribution system and two seaports.
Q. How did Recorded Future track malware in Indian systems?
Recorded Future did not look directly into the servers of India’s power system. Instead, it found a large number of IP addresses linked to critical Indian systems communicating for months with AXIOMATICASYMPTOTE servers connected to Red Echo. These servers had domains spoofing those of Indian power sector entities configured to them. For example, it had an ‘ntpc-co.com’ domain, which spoofs the original ntpc.co.in. AXIOMATICASYMPTOTE servers act as command-and-control centres for a malware known as ShadowPad.
Q. What is ShadowPad?
ShadowPad is a backdoor Trojan malware, which means it opens a secret path from its target system to its command-and-control servers. Information can be extracted or more malicious code delivered via this path.
ShadowPad is built to target supply-chain infrastructure in sectors like transportation, telecommunication, energy and more. It was first identified in 2017, when it was found hidden in a legitimate software produced by a company named NetSarang.
Q. How are ShadowPad and Red Echo linked to China?
Several techniques used in ShadowPad are also found in malware from Winnti group, “allegedly developed by Chinese-speaking actors”. Security analysis firm FireEye links ShadowPad to a group known as ‘APT41’, which it says overlaps with the Winnti group. Microsoft has been tracking another group under the name ‘Barium’.
Q. What were Red Echo’s targets?
Recorded Future lists these as suspected targets: Power System Operation Corporation Limited, NTPC Limited, NTPC Kudgi STPP, Western Regional Load Despatch Centre, Southern Regional Load Despatch Centre, North Eastern Regional Load Despatch Centre, Eastern Regional Load Despatch Centre, Telangana State Load Despatch Centre, Delhi State Load Despatch Centre, DTL Tikri Kalan (Mundka), Delhi Transco Ltd (substation),
V. O. Chidambaranar Port and Mumbai Port Trust.
Q. What is the objective of Red Echo?
Recorded Future says the kind of infrastructure sought to be accessed by Red Echo, such as Regional Load Despatch Centres, has minimal espionage possibilities. They assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives. Prepositioning in cyber warfare means to have malware assets in crucial places that can be called on when an actual attack is launched.