An alarming story about a Chinese cyber-attack
The TLDR: A US cybersecurity company put out a report that reveals critical parts of our electricity grid were infiltrated by Chinese malware last year. The hacking began before the border clashes in Ladakh—and may be linked to the massive power outage in Mumbai in October. The big worry: Are we still vulnerable to this new form of warfare?
Tell me about the hacking…
According to Recorded Future, the attack was coordinated by a Chinese government-backed group of hackers dubbed RedEcho. They used a tool called ShadowPad to gain access to 10 distinct nodes in our power grid—including power plants and regional centres that help distribute the load across key regions (see map below). They also targeted two seaports in Mumbai and Tuticorin—plus a high-voltage transmission substation and a coal-fired power plant.
The aim: of this attack, according to Recorded Future, “has been seen to systematically utilize advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”
In other words, most of the malware has not been used to do anything as yet. It may have simply been embedded within our systems—to be activated when needed. If that is true, the results can be catastrophic as hackers can simply ‘switch off’ large swathes of our energy infrastructure.
Key point to note: Since 2019, intelligence officials have been warning of almost daily cyberattacks targeting our power infrastructure. And these have been happening for a long time:
- November 2017 malware attack on Tehri dam in Uttarakhand
- May 2017 ransomware attack on West Bengal State Electricity Distribution Co. Ltd (WBSEDCL)
- 2018 attacks on electricity distribution companies in Rajasthan and Haryana.
- Massive power transmission failures in July 2012, which left around 700 million people without electricity—triggered again by an attack on Tehri dam.
But most of these attacks were conducted by independent groups of hackers from China, Singapore, Russia—but with the aim of getting ransom.
But this malware triggered the Mumbai outage?
Back on October 13, the lights suddenly went off in large swathes of Mumbai for two hours. Trains, offices, the stock exchange all shut down—and hospitals were operating on backup power. Now was this the result of that Chinese malware? There isn’t any one answer to that question.
The Maharashtra government: The idea that the outage was triggered by a Chinese hack isn’t new. Back in November, the Maharashtra cyber intelligence cell announced that they had traced its cause to malware in Padgha-based load dispatch center—which monitors power transmission and manages the electricity load across the Mumbai Metropolitan Region (MMR).
Even earlier in June, the state intelligence chief had already raised alarm about Chinese infiltration attempts:
"...[T]here has been a sudden surge since past four to five days where attacks have happened on major sectors from China. These sectors include Information, Infrastructure and Banking. There has been a minimum of 40300 probes or cyber attacks for which we have gathered information as of now...
These cyber-attacks or hacking attempts are happening from the Chengdu area of China… These can be divided into three categories which are Denial of service attacks, Internet protocol hijacking attacks and Phishing attacks. Due to these attacks, the Indian cyberspace—especially the government sector—at this stage remains vulnerable.”
Recorded Future: isn’t willing to commit to a definitive answer. According to its report, “the alleged link between the outage and the discovery of the unspecified malware” in the system “remains unsubstantiated.” But they point to what Maharashtra officials claimed at the time of the outage—and say that their report provides “additional evidence suggesting the coordinated targeting of the Indian load dispatch centers.”
The Union government: responded to the New York Times story on the report, saying essentially: Yes, they already knew about Chinese attempts to target the power grid—and have successfully thwarted them. The statement refused to confirm or deny whether it was linked to the Mumbai outage. But it declared: “No data breach/data loss has been detected due to these incidents.”
Key point to note: Maharashtra Home Minister Anil Deshmukh’s response was more ambiguous. At a press conference, he confirmed that the Mumbai outage was caused by an act of cyber-sabotage. He said that 14 Trojans were used to insert malware into the state electricity board—and that 8 gigabyte of data from foreigns accounts had been transferred to its server. But he also claimed that investigators “can’t say which county is behind this at this point of time.”
But why isn’t the government saying it’s China?
Recorded Future has already shared its findings with the government twice—but hasn’t received a response. Now the public release of the report comes at an awkward time:
“It is possible the Indians are still searching for the code. But acknowledging its insertion, one former Indian diplomat noted, could complicate the diplomacy in recent days between China’s foreign minister, Wang Yi, and his Indian counterpart, Subrahmanyam Jaishankar, in an effort to ease the border tensions.”
For now, discretion appears to be the better part of valour—perhaps because the government is still assessing the extent of the incursion and its impact.
But that Mumbai outage wasn’t a big deal…
Nope, it only lasted two hours, and didn’t do much damage. Experts interviewed by the New York Times speculate that it may have been a form of ‘signalling’:
“‘I think the signaling is being done’ by China to indicate ‘that we can and we have the capability to do this in times of a crisis,’ said retired Lt. Gen. D.S. Hooda, a cyberexpert who oversaw India’s borders with Pakistan and China. ‘It’s like sending a warning to India that this capability exists with us.’”
A related worry: Despite the government’s warnings—and rising tensions with China— 25 cities across 12 states have awarded contracts to Chinese software companies to manage their electricity supply—which gives them critical access to information and the ability to remotely control them. Why this matters: Russia cut off power to Ukraine twice using similar access.
A new worry, vaccines: Another cyber-security firm Cyfirma told Reuters that a separate group of Beijing-backed hackers have been targeting Serum Institute and Bharat Biotech—the two biggest firms that manufacture Covid vaccines in India. The company chief said: “The real motivation here is actually exfiltrating intellectual property and getting competitive advantage over Indian pharmaceutical companies.”
The bottomline: That Chinese hackers have infiltrated our infrastructure is hardly a surprise. And it’s not just our government that may have been guilty of complacency. Right now, the United States is struggling to deal with an unprecedented and widespread cyberattack—executed by Russian hackers using a software sold by a company called Solar Winds. The level of infiltration is mindboggling:
- 425 of the US Fortune 500
- All 10 of the top US telecom companies
- Key US government bodies: Pentagon, State, Treasury, Commerce, National Security Agency, Department Of Justice, etc.
The question for us: Would we even know if the same thing happened to us?
Reading list
To satisfy your inner nerd, you can read the original Record Future report here. New York Times has the best reporting. Reuters has more on the vaccine angle. This older Business Standard story has more on the emerging pattern of cyberattacks on vaccine companies around the world—including India. Indian Express has a good explainer on China’s use of cybersecurity warfare.