Cyber-attacks-‘Red Echo’

When did Chinese malware target Indian power grid utilities and why is it a matter of concern?

Introduction

• Maharashtra Power Minister announced that a State Cyber Cell probe had found 14 Trojan horses in the servers of the Maharashtra State Electricity Transmission Company.
• These malwares had the potential to disrupt power distribution in the State.
• The announcement came in the wake of a report from Recorded Future, a U.S.-based cybersecurity firm, stating that a group linked to the Chinese government, which it called ‘Red Echo’, had targeted 10 vital nodes in India’s power distribution system and two seaports.
• Recorded Future claims the cyber intrusions from China began in May 2020 amid heightened tensions at the border.
• It also suggested that these malwares could be the cause of the massive power outage in Mumbai last October.
• The Power Ministry said Chinese hacker groups had targeted various Indian power centres but these groups had been thwarted after government cyber agencies warned it about their activities.
• The Ministry said there had been “no data breach” from the threat.

How did Recorded Future track malware in Indian systems?

• Recorded Future found a large number of IP addresses linked to critical Indian systems communicating for months with AXIOMATICASYMPTOTE servers connected to Red Echo.
• These servers had domains spoofing those of Indian power sector entities configured to them.
  • For example, it had an ‘ntpc-co.com’ domain, which spoofs the original ntpc.co.in.
  • AXIOMATICASYMPTOTE servers act as command-and-control centres for a malware known as ShadowPad.

What is ShadowPad?

•  ShadowPad is a backdoor Trojan malware, which means it opens a secret path from its target system to its command-and-control servers.
• Information can be extracted or more malicious code delivered via this path.
  • Mr. Raut had said that there was an attempt to “either insert or remove around 8 GB of data from the server”.
• Security firm Kaspersky says ShadowPad is built to target supply-chain infrastructure in sectors like transportation, telecommunication, energy and more.
• It was first identified in 2017, when it was found hidden in a legitimate software produced by a company named NetSarang. Trojanised softwares, or softwares that have dangers hidden in them, like the eponymous Trojan horse from Greek mythology, are the primary mode of delivery for ShadowPad.

How are ShadowPad and Red Echo linked to China?

• Kaspersky states that several techniques used in ShadowPad are also found in malware from Winnti group, “allegedly developed by Chinese-speaking actors”.
• Security analysis firm FireEye links ShadowPad to a group known as ‘APT41’, which it says overlaps with the Winnti group.
• Microsoft has been tracking another group under the name ‘Barium’.
• The U.S. Department of Justice confirmed that these were the intrusions that various security researchers were tracking using different threat labels such as ‘APT41’, ‘Barium’, ‘Winnti’, ‘Wicked Panda’, and ‘Wicked Spider’.
• Security firm FireEye also “assesses with high confidence” that ‘APT41’ “carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control”, i.e., the group not only spies for the Chinese government but also does cybercrime when it suits them.
  • The group has been known to target the video-game industry.
• Recorded Future in its report notes large overlaps in the systems used by Red Echo and ‘APT41/Winnti/Barium’.

What were Red Echo’s targets?

• Recorded Future lists these as suspected targets: Power System Operation Corporation Limited, NTPC Limited, etc.
• V. O. Chidambaranar Port and Mumbai Port Trust.

What is the objective of Red Echo?

• Recorded Future says that Red Echo has minimal espionage possibilities.
• They pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.