As of Tuesday, Recorded Future could see a ‘handshake’ — indicating an exchange of traffic — between a China-linked group and an Indian maritime port, said Stuart Solomon, the firm’s chief operating officer. Recorded Future calls the group RedEcho and says it had targeted as many as 10 entities under India’s power grid as well as two maritime ports when the company first notified India’s Computer Emergency Response Team on Feb. 10. Most of these connections were still operational as recently as Feb. 28, Solomon said.
“There’s still an active connection between the attacker and the attackee,” Solomon said, referring to the port. “It’s still happening.”
A spokesman for India’s Ministry of Electronics and Information Technology wasn’t immediately available for comment. “Without any proof, slandering a specific side is irresponsible behavior and an ill-intentioned one,” Chinese Foreign Ministry spokesman Wang Wenbin said in Beijing on Wednesday.
The intrusions into India’s critical infrastructure have been occurring since at least the middle of last year, according to Recorded Future, which tracks back to the start of a bloody skirmish between Indian and Chinese soldiers at a border post in the Himalayas.
Since then, authorities across India’s federal and state governments have been bickering about whether a cyberattack was responsible for the October collapse of the power grid that supplies Mumbai, an outage that brought the financial hub to a halt for several hours, impacting stock markets, transport networks and thousands of households.
Recorded Future, a privately held cybersecurity firm based near Boston that tracks malicious activity by nation-state actors, hasn’t made any connection or assertion between the traffic observed under RedEcho and the Mumbai outage. But, Solomon said, “it’s not unusual to see this type of technique used by nation states as an instrument of national power.”
“This could be as simple as trying to drive influence operations to be able to signal either to the people or the government that at any given time they have leverage that can be used against them,” he added.
Indian federal officials have denied that any cyberattack has occurred, but say malware was found. The National Critical Information Infrastructure Protection Centre emailed the central Power System Operation Corp. about the threat from RedEcho on Feb. 12, the Power Ministry said in a statement Tuesday. Dispatch center employees shut down control functions that allow circuit breakers to be operated remotely. They changed user credentials and isolated vulnerable equipment.
Investigators from Maharashtra are due to present their findings to local lawmakers on Wednesday.
Regarding the Mumbai power outage of Oct. 12, initial information suggested 14 Trojan Horses, that is malicious code, and 8 gigabyte of unaccounted foreign data could have been transferred to the main electricity board, Anil Deshmukh, Maharashtra state’s home minister, said in a briefing on Monday. He added that black-listed IP addresses had tried to log-in to the board’s servers. He didn’t attribute the attack to any country or entity.
The 10 entities RedEcho infiltrated account for nearly 80% of India’s land mass from an electricity-coverage perspective, Solomon said. The intrusions could have remained unexposed and undetected until they were needed as leverage, he said.
“If it was meant to take down the lights, it would have taken down the lights,” Solomon said. “It didn’t.”