Did Chinese Hackers Cause Mumbai's Power Failure in October?

A report by the US-based firm Recorded Future says since the escalation tensions between the two countries at the LAC, state-backed Chinese hacker groups have targeted the Indian power grid system through malware.

New Delhi: The massive power outage in Mumbai in October 2020 may have been the result of a Chinese cyber campaign against India, timed as a ‘show of force’ warning to New Delhi about what could happen if the country pushed its border claims too vigorously in the context of the standoff at the Line of Actual Control (LAC) in Ladakh.

A report compiled by Recorded Future, a Massachusetts-based company that studies the use of the internet by state actors, details a campaign conducted by a China-linked threat activity group it calls ‘RedEcho’, which targeted the Indian power sector through malware.

Though Recorded Future observed a large increase in suspected targeted intrusion activity against Indian organisations from the Chinese state-sponsored group, the campaign gained momentum after the standoff in Ladakh. Tensions between the two countries escalated after a violent clash in Galwan, which resulted in the death of at least 24 soldiers.

Recorded Future said the targeted activity was identified through a combination of large-scale automated network traffic analytics and expert analysis.

The October 12 grid failure in Mumbai resulted in massive power outages, stopping trains on tracks, hampering those working from home amidst the COVID-19 pandemic and hitting the stuttering economic activity hard. It took two hours for the power supply to resume for essential services, prompting chief minister Uddhav Thackeray to order an enquiry into the incident.

In November, media reports suggested that the power failure in Mumbai was the result of ‘sabotage‘ by foreign entities. The government’s enquiry into the outage is expected to be completed soon.

The Massachusetts-based company’s report comes soon after the two armies disengaged in some regions after being locked in a standoff for over eight-months in eastern Ladakh, with talks to ensure complete disengagement underway.

Indian and Chinese troops and tanks disengage from the banks of Pangong lake area in Eastern Ladakh where they had been deployed opposite each other for almost ten months now. Photo: PTI/Indian Army handout

‘No data breach’

Responding to the findings of the study, the ministry of power said, “There is no impact on any of the functionalities carried out by POSOCO due to the referred threat. No data breach/ data loss has been detected due to these incidents.”

It further said, “Prompt actions are being taken by the CISOs (chief information security officers) at all these control centres under operation by POSOCO for any incident/advisory received from various agencies like CERT-in, NCIIPC, CERT-Trans etc.”

The power ministry also said that the National Critical Information Infrastructure Protection Centre (NCIIPC), which oversees cybersecurity operations, had sounded an alert on February 12 about a Chinese state-sponsored threat actor group known as Red Echo targeting regional load dispatch centres (RLDCs) and state load dispatch centres (SLDCs). “NCIIPC informed through a mail dated 12th February 2021 about the threat by Red Echo through a malware called Shadow Pad,” the statement said.

Chinese foreign ministry spokesperson Wang Wenbin said, “As a staunch defender of cyber security, China firmly opposes and cracks down on all forms of cyber attacks.”

“Speculation and fabrication have no role to play on the issue of cyber attacks, as it is very difficult to trace the origin of a cyber attack. It is highly irresponsible to accuse a particular party when there is no sufficient evidence around, China is firmly opposed to such irresponsible and ill-intentioned practice,” he added.

‘Quietly gain a foothold’

Stuart Solomon, Recorded Future’s chief operating officer, told the New York Times said that RedEcho, “has been seen to systematically utilise advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”

Recorded Future said it notified the appropriate Indian government departments prior to publication of the suspected intrusions to support incident response and remediation investigations within the impacted organisations.

However, there was no immediate response from the Indian government on the study by the US company.

The report says that ten distinct Indian power sector organisations, including four of the five regional load despatch centres (RLDC) responsible for the operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other targets identified included two Indian seaports.

The report says “the alleged link between the outage and the discovery of the unspecified malware” in the system “remains unsubstantiated” but noted that “additional evidence suggested the coordinated targeting of the Indian load dispatch centres”.

According to the report, the targeting of Indian critical infrastructure offers limited economic espionage opportunities but poses “significant concerns” over potential pre-positioning of network access to support Chinese strategic objectives.

Pre-positioning on energy assets may support several potential outcomes, including geostrategic signalling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation, Recorded Future said.

RedEcho has strong infrastructure and victimology overlaps with Chinese groups APT41/Barium and Tonto Team, while ShadowPad is used by at least five distinct Chinese groups, it said.

At least three of the targeted Indian IP addresses were previously seen in a suspected APT41/Barium-linked campaign targeting the Indian oil and gas sectors in November 2020, recorded future said.

Recorded Future said that in the lead-up to the May 2020 border skirmishes, it observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organisations.

The PlugX activity included the targeting of multiple Indian government, public sector and defence organisations from at least May 2020, it said.

While not unique to Chinese cyber espionage activity, PlugX has been heavily used by China-nexus groups for many years.

“Throughout the remainder of 2020, we identified a heavy focus on the targeting of Indian government and private sector organisations by multiple Chinese state-sponsored threat activity groups,” it said.

In its report, Recorded Future said that it has also observed the suspected Indian state-sponsored group Sidewinder target Chinese military and government entities in 2020, a finding that is supported by another study by the firm Trend Micro.

People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. Credit: Reuters/Dado Ruvic/Files

Recorded Future said that it has also observed the suspected Indian state-sponsored group Sidewinder target Chinese military and government entities in 2020. Representative image. Photo: Reuters/Dado Ruvic/Files

‘Sending a warning’

Lieutenant General (Retired) D.S. Hooda told the New York Times that the intrusions are a signal from China to indicate “that we can and we have the capability to do this in times of a crisis”. He added, “It’s like sending a warning to India that this capability exists with us.”

The newspaper also reported that cyber attacks such as these give countries a “less devastating” option than a nuclear attack, one capable, however, of giving a country “a strategic and psychological edge”.

It said Russia was a pioneer in using this technique, targeting both Ukraine and the US.

“And the United States has engaged in similar signaling. After the Department of Homeland Security announced publicly that the American power grid was littered with code inserted by Russian hackers, the United States put code into Russia’s grid in a warning to President Vladimir V. Putin,” NYT said.

Until recently, China focused on “information theft” but the country has been “increasingly active” in placing code into infrastructure systems, “knowing that when it is discovered, the fear of an attack can be as powerful a tool as an attack itself”.

The New York Times report also says that the Chinese government – which too has not commented on the report’s findings – could “argue that India started the cyberaggression”. It said state-backed hackers were “caught using coronavirus-themed phishing emails to target Chinese organizations in Wuhan last February”.