_This report details a campaign conducted by a China-linked threat activity group, RedEcho, targeting the Indian power sector. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. Data sources include the Recorded Future Platform, SecurityTrails, Spur, Farsight, and common open-source tools and techniques. The report will be of most interest to individuals engaged in strategic and operational intelligence relating to Indian and Chinese activity in cyberspace.

Recorded Future notified the appropriate Indian government departments prior to publication of the suspected intrusions to support incident response and remediation investigations within the impacted organizations._

Executive Summary

Les relations entre l'Inde et la Chine se sont considérablement détériorées à la suite des affrontements frontaliers de mai 2020, qui ont entraîné les premiers morts au combat en 45 ans entre les deux nations les plus peuplées du monde. En conséquence, le 12 janvier 2021, le ministre indien des Affaires étrangères, Subrahmanyam Jaishankar, a déclaré que la confiance entre l'Inde et la Chine était « profondément ébranlée ». Si la diplomatie et les facteurs économiques ont permis d'éviter une guerre ouverte, comme l'a récemment démontré le désengagement bilatéral à la frontière, les cyberopérations continuent d'offrir aux pays une puissante capacité asymétrique pour mener des activités d'espionnage ou se positionner au sein de réseaux à des fins potentiellement perturbatrices.

Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups. From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector. 10 distinct Indian power sector organizations, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other targets identified included 2 Indian seaports.

En combinant des détections proactives des infrastructures adverses, des analyses de domaine et l'analyse du trafic réseau de Recorded Future, nous avons déterminé qu'un sous-ensemble de ces serveurs AXIOMATICASYMPTOTE partageaient certaines tactiques, techniques et procédures (TTP) communes avec plusieurs groupes chinois soutenus par l'État déjà signalés, notamment APT41 et Tonto Team.

Despite some overlaps with previous groups, Insikt Group does not currently believe there is enough evidence to firmly attribute the activity in this particular campaign to an existing public group and therefore continue to track it as a closely related but distinct activity group, RedEcho.

Key Judgements

• The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.
• Pre-positioning on energy assets may support several potential outcomes, including geo-strategic signaling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation.
• RedEcho has strong infrastructure and victimology overlaps with Chinese groups APT41/Barium and Tonto Team, while ShadowPad is used by at least 5 distinct Chinese groups.
• The high concentration of IPs resolving to Indian critical infrastructure entities communicating over several months with a distinct subset of AXIOMATICASYMPTOTE servers used by RedEcho indicate a targeted campaign, with little evidence of wider targeting in Recorded Future’s network telemetry.

Note de l'éditeur : cet article est un extrait d'un rapport complet. Pour lire l'intégralité de l'analyse, click here to download the report as a PDF.