How a U.S. online threat analysis firm tracked alleged Chinese hackers who targeted 12 vital installations in India.
How did Recorded Future track malware in Indian systems?
Recorded Future did not look directly into the servers of India’s power system. Instead, it found a large number of IP addresses linked to critical Indian systems communicating for months with AXIOMATICASYMPTOTE servers connected to Red Echo. These servers had domains spoofing those of Indian power sector entities configured to them. For example, it had an ‘ntpc-co[.]com’ domain, which spoofs the original ntpc[.]co[.]in. AXIOMATICASYMPTOTE servers act as command-and-control centres for a malware known as ShadowPad.
What is ShadowPad?
ShadowPad is a backdoor Trojan malware, which means it opens a secret path from its target system to its command-and-control servers. Information can be extracted or more malicious code delivered via this path. Mr. Raut had said that there was an attempt to “either insert or remove around 8 GB of data from the server”.
Security firm Kaspersky says ShadowPad is built to target supply-chain infrastructure in sectors like transportation, telecommunication, energy and more. It was first identified in 2017, when it was found hidden in a legitimate software produced by a company named NetSarang. Trojanised softwares, or softwares that have dangers hidden in them, like the eponymous Trojan horse from Greek mythology, are the primary mode of delivery for ShadowPad.
How are ShadowPad and Red Echo linked to China?
Kaspersky states that several techniques used in ShadowPad are also found in malware from Winnti group, “allegedly developed by Chinese-speaking actors”. Security analysis firm FireEye links ShadowPad to a group known as ‘APT41’, which it says overlaps with the Winnti group. Microsoft has been tracking another group under the name ‘Barium’. In September 2020, the U.S. Department of Justice announced that a federal grand jury had indicted “five computer hackers, all of whom were residents and nationals of the People’s Republic of China (PRC), with computer intrusions affecting over 100 victim companies in the United States and abroad”. The U.S. Department of Justice confirmed that these were the intrusions that various security researchers were tracking using different threat labels such as ‘APT41’, ‘Barium’, ‘Winnti’, ‘Wicked Panda’, and ‘Wicked Spider’. The Department of Justice statement said the “defendants also compromised foreign government computer networks in India and Vietnam”.
Security firm FireEye also “assesses with high confidence” that ‘APT41’ “carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control”, i.e., the group not only spies for the Chinese government but also does cybercrime when it suits them. The group has been known to target the video-game industry.
Recorded Future in its report notes large overlaps in the systems used by Red Echo and ‘APT41/Winnti/Barium’. “At least 3 of the [Red Echo] targeted Indian IP addresses were previously seen in a suspected APT41/Barium-linked campaign targeting the Indian Oil and Gas sectors in November 2020,” it says.
What were Red Echo’s targets?
Recorded Future lists these as suspected targets: Power System Operation Corporation Limited, NTPC Limited, NTPC Kudgi STPP, Western Regional Load Despatch Centre, Southern Regional Load Despatch Centre, North Eastern Regional Load Despatch Centre, Eastern Regional Load Despatch Centre, Telangana State Load Despatch Centre, Delhi State Load Despatch Centre, DTL Tikri Kalan (Mundka), Delhi Transco Ltd (substation), V. O. Chidambaranar Port and Mumbai Port Trust.
What is the objective of Red Echo?
Recorded Future says the kind of infrastructure sought to be accessed by Red Echo, such as Regional Load Despatch Centres, has minimal espionage possibilities. However, it adds, “we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.” Prepositioning in cyber warfare means to have malware assets in crucial places that can be called on when an actual attack is launched.