You probably are acquainted with the news of attacks on Indian critical infrastructure. Dubbed RedEcho, this Chinese state-sponsored threat actor targeted India’s power grid. So, what do we know about this attacker?

About RedEcho

  • As per an investigation by Recorded Future, the victimology of this group coincides with that of APT41, also known as Barium. Moreover, RedEcho boasts of a robust infrastructure.
  • The malware used was ShadowPad, which has previously been reported to have been used by at least five disparate Chinese state-sponsored hackers.
  • A massive portion of the targeted IP addresses was spotted communicating with two AXIOMATICASYMPTOTE servers hosting several DDNS domains. This activity converges with that of Barium, as previously documented by Microsoft.
  • Nevertheless, sufficient evidence leading to attributing this activity to APT41 is lacking and hence, it is suspected that although related, RedEcho is a different threat actor.

More on the attacks

  • The AXIOMATICASYMPTOTE infrastructure consisted of ShadowPad C2 servers to accomplish the goal of targeting a huge chunk of the power sector.
  • Ten power sector organizations, including four Regional Load Despatch Centres (RDPL), were attacked.
  • The other two consisted of seaports in Kochi and Mumbai.
  • The 10 power sector organizations are responsible for approximately 80% of India’s landmass in the context of electricity coverage.

Why does it matter?

  • Although the hack seemed to aim at a power outage, it was more than that. The purpose of disrupting the electricity grid is supposed to be cyberespionage. ShadowPad is the latest element in the long line of custom capabilities of Chinese threat actors, used in cyberespionage activities.
  • With the rapid digitalization, utility infrastructure has become a lucrative target for cyber attackers.
  • Organizations and businesses are focusing on IT security, which is definitely a great thing. However, sometimes we tend to forget about the threats posed to OT security and the need to reinforce it.
  • Besides, attacks on industrial systems are not just virtual anymore; lives are being ruthlessly endangered.

Similar threats

This is not the only threat aimed at the power sector. There have been similar incidents recently, all of them quite catastrophic.
  • Dragos revealed that the Russian military intelligence group Sandworm was targeting the U.S. energy system for years.
  • Austin Energy warned its customers about unknown adversaries impersonating company officials and threatening to cut off their power unless a fabricated overdue bill is paid.
  • An intruder attempted to change the levels of sodium hydroxide in a Florida water treatment plant, moving the setting from 100 ppm to 11,100 ppm.

The bottom line

The emergence of RedEcho and the subsequent attacks call for a robust cybersecurity approach to industrial systems. The time for traditional security practices is gone and now governments and businesses should consider acting proactively against all sorts of threats to critical infrastructure.

Cyware Publisher