India thwarted China’s cyber attacks on power sector

By Sumit Kumar Singh

New Delhi, March 1 (SocialNews.XYZ) China carried out cyber attacks on Indian power and ports sectors when troops were engaged at the borders along the Line of Actual Control but there was "no impact" on critical infrastructure, sources in the power ministry said on Monday.

The ministry carried out a study -- China-Linked group Red Echo targets the Indian power sector amid heightened border tensions -- carried out by Recorded Future's Insikt Group and released on Monday which came to the conclusion that there were cyber attacks but nothing happened to critical infrastructure.

The report stated that in total, 21 IP addresses resolving to 10 distinct Indian organisations in the power generation and transmission sector were targeted, with a further two organisations in the maritime sector. They were targeted through a malware called Shadow Pad.

All 12 organizations qualify as critical infrastructure, as per the Indian National Critical Information Infrastructure Protection Centre (NCIIPC) definition.

"Within India's power sector, Red Echo conducted suspected network intrusions targeting at least 4 out of the country's 5 Regional Load Despatch Centres (RLDCs), alongside 2 State Load Despatch Centres (SLDCs)," the report stated. RLDCs and SLDCs are responsible for ensuring real-time integrated operation of India's power grid through balancing electricity supply and demand to maintain a stable grid frequency.

The report also talks about the October 2020 power outage in Mumbai links to a malware attack at a Padgha-based State Load Despatch Centre. However, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated in the study.

Other Red Echo intrusions within the Indian power sector included the targeting of a high-voltage transmission substation and a coal-fired thermal power plant. "The targeting of these critical power assets offer limited economic espionage opportunities, but pose significant concerns over potential pre-positioning of network access to support other Chinese strategic objectives," the report stated.

Reacting to the report's finding, power ministry sources said that a system of monitoring and analysis of cyber activities is already in place at all RLDCs & NLDC, operated by the Power System Operation Corporation (POSOCO).

Further, sources said that the ministry received an email from the Indian Computer Emergency Response Team (CERT-In) on November 19, 2020 on the threat of malware called Shadow Pad at some control centres of POSOCO. Accordingly, action has been taken to address these threats.

Subsequently, NCIIPC informed through a mail dated February 12, 2021 about the threat by Red Echo through a malware called Shadow Pad.

Sources in the ministry said the report of Insikt referring to the threat actors were already informed to them by CERT-in and NCIIPC.

After the ministry came to know about the threats, all IPs and domains listed in the NCIIPC mail were blocked in the firewall at all control centres.

"Log of firewall is being monitored for any connection attempt towards the listed IPs and domains. Additionally, all systems in control centres were scanned and cleaned by antivirus," the sources in the ministry said.

The IPs mentioned in the Red Echo related advisory are matching with those given in Shadow pad.

"Observations from all RLDCs & NLDC shows that there is no communication and data transfer taking place to the IPs mentioned. There is no impact on any of the functionalities carried out by POSOCO due to the referred threat. No data breach/data loss has been detected due to these incidents," the ministry had noted.

Prompt action is being taken by the chief information security officers at all these control centres under operation by POSOCO for any incident or advisory received from various agencies like CERT-in, NCIIPC, CERT-Trans and others.

(Sumit Kumar Singh can be reached at sumit.k@ians.in)

Source: IANS