American agency reveals how they caught China's involvement in Mumbai cyber hacking case

New Delhi: Amidst debates and vagueness surrounding the claims by a Massachusetts based cybersecurity firm on attacks on Indian power infrastructure by Chinese firms, the organisation itself organised a webinar to clear the air around the debates and threw a light on the study carried out by it.

Through a presentation, CEO of the organisation, Dr Christopher Ahlberg and its Head of Nation-State Research Jon Condra shared the details on the study carried out, its methodology, analysis, and risk assessment. 

Opening the presentation, Dr Christopher stated that during their analysis, “the Recorded Future observed through its network intelligence significant, high volume, sustained network traffic from Indian Power Sector Assets to servers used by China-linked group.”

He explained that Chinese firm  has used similar modus operandi that was previously used by other Chinese assault groups like APT41 and Tonto Team. In a more concerning disclosure, the Recorded Future explained that the Chinese assault set-up attacking the Indian power set-up is still active, and further elaborated “Indications activity continues post border de-escalation”.

According to them, twelve organisations, including two power grids and two ports, were targeted by the Chinese firm. The list includes: Power System Operation Corporation Limited; NTPC Limited; NTPC Kudgi STPP; Western Regional Load Despatch Centre; Southern Regional Load Despatch Centre; North Eastern Regional Load Despatch Centre; Eastern Regional Load Despatch Centre; Telangana State Load Despatch Centre; Delhi State Load Despatch Centre; DTL Tikri Kalan (Mundka), Delhi Transco Ltd; VO Chidambaranar Port; and Mumbai Port Trust. 

As far as the methodology is concerned, the Recorded Future carried out a network analysis and identified the activity through “Large-Scale Automated Analytics”, along with expert analysis. The organisation proactively identified the infrastructure deployed by the adversary by using server fingerprinting, which was later combined with “Network Traffic Analysis” in order to establish, derive, and confirm the relationship between victims and adversary infrastructure. Further, the organisation enriched the traffic analysis with available data sources for the identification of the victim. 

While talking about the methodology uses, the presenters also mentioned their study carried out on the attack on the European energy sector in late 2019 and highlighted that the same methodology was used to investigate the attack on the European Network of Transmission System Operators for Electricity (ENTSO-E), where a massive volume and sustained network traffic to/from “known-bad infrastructure” revealed about the attack. 

During the presentation, speakers argued that the targeting of strategic Indian power grid assets by China offers limited economic espionage opportunities as well as pose several major threats to potential network pre-positioning. A major vulnerability could be Chinese attempts to gather intelligence for future operations. Besides, there is also a possibility of pre-positioning of destructive malware by China to jeopardise the Indian economy. 

The presenters argued that it could also be seen as a warning by China or might be a show of power during escalated tensions between both countries. Most importantly, it could potentially be part of the information operation by China to disorganise and disrupt the Indian population.

Rebutting the arguments of stakeholders questioning the involvement of the Chinese government in the alleged attack on Indian power infrastructure, officials of Recorded Future stated that there is a high possibility of the attack being a state-sponsored one as “the infrastructure overlaps with other known Chinese state-sponsored groups.” They also underlined that the pattern reflected during their investigative study was not a new one and the modus operandi was very similar to known Chinese threat activity groups. 

The organisation also put forward a series of alarming predictions. They claimed that cases of targeting important Indian organizations from Chinese groups might continue in the current year. However, they were optimistic regarding the disengagement at the eastern Ladakh border and termed it as a ‘positive step’. 

The organisation apprehended that such intrusions into the infrastructure setups by the Chinese government could very well be directed by the geopolitical interests of the Chinese Communist Party and argued that China might continue to launch such attacks for strengthening its control over other Asian nations through the Belt and Road Initiative (BRI) as a step to counter the efforts of strengthening the Quad alliance. In this regard, the Recorded Future believes that “Cyber Ops will almost certainly be used to support these aims in furthering strategic goals.”

Live TV

The organisation explained to the audience during their presentation that such concerns on China’s attack on power infrastructure of opponent countries aren’t new and have existed “for roughly a decade”.

During the question-answer session, the officials of Recorded Future also explained to the audiences that Indian security establishments should be wary about the attacks on Indian ports that could be targeted by Chinese firms. They explained that the Chinese might attack these ports to give a jolt to the Indian economy by disrupting the trade being carried out through these ports. According to them, the most vulnerable ports are Mumbai Port Trust and V. O. Chidambaranar in Tamil Nadu. It is important to note that these two ports have been included amongst the power infrastructure set-ups attacked by Chinese Firms in Recorded Future’s investigation.

The organisation explained to the audience that though they are aware of the reports of targeting the Maharashtra State Load Despatch Centre in October 2020, they are yet to confirm their connections with the Chinese group.