RedEcho taps into India’s power grid

IT systems at Indian electricity organizations in Maharashtra, Assam, Delhi, and Tamil Nadu have been targeted by a hacking group believed to be based in China, according to security intelligence provider Recorded Future

It wasn’t just power distribution infrastructure: intrusion attempts were also detected at the Mumbai and VO Chidambaranar (formerly Tuticorin) ports.

Charity Wright, a threat intelligence analyst at Recorded Future, revealed in a web conference how the firm tracked the now-famous China-linked hacker group RedEcho and the extent of its reach into India’s critical infrastructure. Through network traffic analysis and by analysing potential exfiltration events, the threat-intel firm detected patterns pointing to an attempted cyber-attack on the country’s critical infrastructure by RedEcho – the firm detected high-volume, sustained network traffic from Indian power stations to servers used by the Chinese state-sponsored hacker group.

While some have attempted to link the attacks to a power outage that affected Mumbai on 12 October, deemed an act of “sabotage” by Maharashtra energy minister Nitin Raut, Recorded Future said it has not been able to substantiate any such link.

Wright said that RedEcho has overlapping modus operandi with other known Chinese groups like APT41 and Tonto Team. CSO has previously reported on APT41’s activities: a veteran of sorts among hacker groups, it gained notoriety for perpetrating a cyber-attack on CCleaner back in 2017. It has since been targeting critical infrastructure assets across the globe by targeting establishments in the manufacturing, power, pharma, and telecom sectors.

The evidence pointing to a state-sponsored attack

“The targeting is very specific to critical infrastructure. This is both unusual and unsettling. The traffic landing in the RedEcho infrastructure came exclusively from the 10 power grid assets as well as from two ports,” Wright said.

The discernible pattern—deduced through the server fingerprinting of adversary infrastructure—suggested the campaign was highly targeted due to the high concentration of IPs resolving to the critical assets. The power stations and ports in question were communicating with a collection of servers used for hacking that Recorded Future has codenamed “axiomaticasymptote,” and that it links with Chinese threat actors.

It has identified the axiomaticasymptote servers based on distinct characteristics such as HTTP header responses.

In the past, these servers were used by Chinese threat actors for command and control of closed-source malware families. Take ShadowPad, for instance: it has been used by Chinese hacker groups like APT41, Tonto Team, Tick, and the perpetrators of the Icefog APT malware.

Cyber-attacks on critical infrastructure, unlike ransomware, almost never have an economic motive. Also, the targets chosen for the attack were spread across the length and breadth of the country.

“We also observed hosting overlaps between RedEcho DDNS domains and previously-reported APT41 and Tonto Team infrastructure,” said Wright.

In addition to this, Recorded Future also observed the usage of CNDNS – a China-based domain reseller and hosting provider.

The accumulation of clues is not enough for Recorded Future to link the intrusions with the existing hacking groups it has identified: for now RedEcho remains a distinct activity group linked to China.