IT systems at Indian electricity organizations in Maharashtra, Assam, Delhi, and Tamil Nadu have been targeted by a hacking group believed to be based in China, according to security intelligence provider Recorded FutureIt wasn\u2019t just power distribution infrastructure: intrusion attempts were also detected at the Mumbai and VO Chidambaranar (formerly Tuticorin) ports.Charity Wright, a threat intelligence analyst at Recorded Future, revealed in a web conference how the firm tracked the now-famous China-linked hacker group RedEcho and the extent of its reach into India\u2019s critical infrastructure. Through network traffic analysis and by analysing potential exfiltration events, the threat-intel firm detected patterns pointing to an attempted cyber-attack on the country\u2019s critical infrastructure by RedEcho \u2013 the firm detected high-volume, sustained network traffic from Indian power stations to servers used by the Chinese state-sponsored hacker group.While some have attempted to link the attacks to a power outage that affected Mumbai on 12 October, deemed an act of \u201csabotage\u201d by Maharashtra energy minister Nitin Raut, Recorded Future said it has not been able to substantiate any such link.Wright said that RedEcho has overlapping modus operandi with other known Chinese groups like APT41 and Tonto Team. CSO has previously reported on APT41\u2019s activities: a veteran of sorts among hacker groups, it gained notoriety for perpetrating a cyber-attack on CCleaner back in 2017. It has since been targeting critical infrastructure assets across the globe by targeting establishments in the manufacturing, power, pharma, and telecom sectors.The evidence pointing to a state-sponsored attack\u201cThe targeting is very specific to critical infrastructure. This is both unusual and unsettling. The traffic landing in the RedEcho infrastructure came exclusively from the 10 power grid assets as well as from two ports,\u201d Wright said.The discernible pattern\u2014deduced through the server fingerprinting of adversary infrastructure\u2014suggested the campaign was highly targeted due to the high concentration of IPs resolving to the critical assets. The power stations and ports in question were communicating with a collection of servers used for hacking that Recorded Future has codenamed \u201caxiomaticasymptote,\u201d and that it links with Chinese threat actors.It has identified the axiomaticasymptote servers based on distinct characteristics such as HTTP header responses.In the past, these servers were used by Chinese threat actors for command and control of closed-source malware families. Take ShadowPad, for instance: it has been used by Chinese hacker groups like APT41, Tonto Team, Tick, and the perpetrators of the Icefog APT malware.Cyber-attacks on critical infrastructure, unlike ransomware, almost never have an economic motive. Also, the targets chosen for the attack were spread across the length and breadth of the country.\u201cWe also observed hosting overlaps between RedEcho DDNS domains and previously-reported APT41 and Tonto Team infrastructure,\u201d said Wright.In addition to this, Recorded Future also observed the usage of CNDNS \u2013 a China-based domain reseller and hosting provider.The accumulation of clues is not enough for Recorded Future to link the intrusions with the existing hacking groups it has identified: for now RedEcho remains a distinct activity group linked to China.