Pierluigi Paganini April 09, 2022

China-linked threat actors continue to target Indian power grid organizations, most of the attacks involved the ShadowPad backdoor.

Recorded Future’s Insikt Group researchers uncovered a campaign conducted by a China-linked threat actor targeting Indian power grid organizations. The security firm is tracking this cluster of malicious activities under the moniker Threat Activity Group 38 aka TAG-38.

In February 2021, Insikt Group researchers reported a campaign aimed at India’s power grid that the experts attributed to China-linked threat actor RedEcho.

The attackers employed a modular backdoor dubbed ShadowPad, an implant used by several groups linked to the People’s Liberation Army (PLA) and the Ministry of State Security (MSS).

Recent attacks targeted at least 7 Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states.

The attacks hit systems located in North India, in proximity to the disputed India-China border in Ladakh.

The attacks, which likely started in September 2021, aimed at gathering intelligence on critical infrastructure systems in preparation for future intrusions.

“Given the continued targeting of State and Regional Load Despatch Centres in India over the past 18 months, first from RedEcho and now in this latest TAG-38 activity, this targeting is likely a long-term strategic priority for select Chinese state-sponsored threat actors active within India.” reads the advisory published by Recorded Future. “The prolonged targeting of Indian power grid assets by Chinese state-linked groups offers limited economic espionage or traditional intelligence-gathering opportunities. We believe this targeting is instead likely intended to enable information gathering surrounding critical infrastructure systems or is pre-positioning for future activity.”

The analysis of the C2 infrastructure revealed that threat actors used compromised DVR/IP camera
devices primarily located in Taiwan or South Korea.

Most of the compromised devices acted as ShadowPad C2 servers, most of them shared a unique SSL certificate spoofing Microsoft on port 443. Experts noticed multiple links between the certificate and multiple China-linked cyberespionage campaigns.

“However, the coordinated effort to target Indian power grid assets in recent years is notably distinct from our perspective and, given the continued heightened tension and border disputes between the two countries, we believe is a cause for concern.”concludes the report. “Based on the complexity present across national critical infrastructure systems, this often necessitates lengthy reconnaissance operations to better understand the inner workings of these systems, both in a technological and a physical sense.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)

[adrotate banner=”5″]

[adrotate banner=”13″]