Skip to content

Report: Chinese Hacker Groups Target Indian Organisations Amid the Border Tension

The china-based threat activity group, RedEcho, targets at least a dozen Indian organizations, including the Indian power sec

Since mid-2020, Chinese State-sponsored groups intruded into the computer networks of at least a dozen Indian state-run organizations, mostly power utilities and load dispatch centers. According to a new study, these threat groups attempt to insert malware that could cause widespread disruptions (1).

In the report, Recorded Future (2), intelligence for enterprise security providers, Insikt Group, revealed details of the cyber campaign conducted by a China-linked group, RedEcho. Recorded Future’s large-scale automated network traffic analytics and expert analysis found the threat group activity targeted the Indian power sector. Notably, the company tracks the Internet usage of state actors for cyber-campaigns.

According to the NCIIPC Indian National Critical Information Protection Center definition (3), all 12 organizations qualify as critical infrastructure.

Recorded Future stated in the report that the activity started much before the clashes between Indian and Chinese troops in May 2020, triggering the border standoff in the Ladakh sector of the LAC, Line of Actual Control. And since then, there was a ‘steep rise’ in the use of particular software used by Chinese-state sponsored groups to target the Indian power sector’s large swathe (4).

The report further stated that the alleged groups’ intrusions had known links with the MSS, Ministry of State Security, China’s main intelligence and security agency, and the PLA, People’s Liberation Army. Moreover, their intrusions were not limited to the power sector. They made efforts to target several Indian government and defense organizations.

The report that in the lead-up to the May 2020 skirmishes, there was a noticeable increase in the Plugx malware, C2 infrastructure provisioning, and much of it was subsequently used for intrusion activity, targeting Indian organizations. The PlugX activity included targeting multiple Indian governments, defense, and public sector organizations from at least May last year.

Notably, China-nexus groups have been using PlugX for several years and throughout the rest of 2020. The investigators of Recorded Future identified a heavy focus on targeting Indian government and private sector organizations by several Chinese-state-sponsored threat activity groups.

Malware Led Disruptions

Even though Recorded Future didn’t state whether the malware insertion by the Chinese threat activity groups led to any disruptions, the report highlighted a massive power outage in Mumbai on October 13, 2020 (5) that was allegedly caused by the malware insertion at a state load dispatch center in Padgha. Nitin Raut, Maharashtra power minister (6), had stated at that time that authorities suspected that sabotage was the cause of the outage.

The two-hour outage resulted in the stock exchange closure, train cancellation, and offices across Mumbai, Navi Mumbai, and Thane were closed off.

Recorded Future stated that at the moment, the alleged link between the discovery of the unspecified malware variant and the outage remains unsubstantiated. However, the closure offers additional evidence suggesting a coordinated targeting of Indian Load Dispatch Centres.

The 12 organizations (ten distinct Indian power sector organizations and two Indian seaports), which Red Echo targeted includes:

  • Power System Operation Corporation Limited
  • NTPC Limited
  • NTPC’s Kudgi Power Plant
  • Western Regional Load Dispatch Center
  • Southern Regional Load Dispatch Center
  • North Eastern Regional Load Dispatch Center
  • Eastern Regional Load Dispatch Center
  • Delhi State Load Dispatch Centre
  • The DTL Tikri Kalan (Mundka) sub-station of Delhi
  • Transco Ltd
  • VO Chidambaranar Port
  • Mumbai Port Trust

All these groups use a modular backdoor tool called ShadowPad. And China-backed groups in network intrusion campaigns since 2017.

The report stated that the ShadowPad sharing is prevalent across groups affiliated with the Chinese Ministry of State Security and groups affiliated with the People’s Liberation Army. It is likely associated with the presence of a centralized ShadowPad developer or quartermaster responsible for updating and maintaining the tool.

RedEcho seems to have systematically utilized advanced cyber intrusion techniques to quietly gain a foothold in about a dozen critical nodes across the Indian power generation and transmission infrastructure, stated Stuart Solomon, the Chief Operating Officer at Recorded Future (7).

Even though several Chinese-sponsored hacker groups’ activities in the West have been linked to economic and cyber espionage, Recorded Future concluded that RedEcho’s actions in India aim at potential access to networks and malware insertion to ‘support Chinese strategic objectives.’

Pre-positioning on energy assets may support numerous potential outcomes such as geostrategic signaling during heightened bilateral tensions, supporting influence operations, or a precursor to kinetic escalation stated in the report.

According to a The New York Times report (8), Recorded Future reported its finding to the Indian Computer Emergency Response Team, CERT-IN. While it acknowledged the information’s receipt, it didn’t state whether it had found any malware in the targeted organizations.

Key Findings

Although targeting Indian critical infrastructure offers limited economic espionage opportunities, the Recorded Future report assesses that it could pose significant interests over the potential pre-position of network access to sustain Chinese strategic objectives. Pre-positioning on energy assets has the potential to support numerous potential outcomes such as geostrategic signaling during high bilateral tensions, influence operations support, or as a kinetic escalation precursor.

Moreover, RedEcho has a robust infrastructure and victimology overlapping with Chinese groups APT41/Barium and Tonto team. At least five distinct Chinese hacker groups use ShadowPad.

The CNO, Computer Network Operations targeting strategically important organizations, is likely to continue in India from the Chinese group in 2021 as the country continues to exert influence over nations within the sphere of its BRI, Belt, and Road Initiative investment program.

According to Dr, Christopher Ahlbergm the Chief Executive Officer and Co-founder of Recorded Future (9), the impact of cyber attacks aimed at a country’s critical infrastructure, whether for malicious activity or espionage, can potentially turn catastrophic with long-term repercussions. The world has long seen China’s cyber efforts targeted around strategic policies and initiatives, and this RedEcho campaign is no exception.

Ahlberg added that ‘accurate and actionable intelligence is essential for preempting such attacks and proactively disrupt adversaries both within an organization and across a country.’


Recorded Future in the report recommended users conduct different measures to detect and mitigate activities associated with RedEcho.

The report suggested that users can configure their IDS, intrusion detection systems and IPS, intrusion prevention systems, or any other network defense mechanisms in place to receive an alert. Users can consider blocking connection attempts to and from upon review.

Notably, Recorded Future proactively detects and logs malicious server configurations in the Command and Control Security Control Feed. The list includes tools the RedEcho and Chinese state-sponsored threat activity groups use, such as AXIOMATIC ASYMPTOTE.

The report recommended that clients should remain alert and block C2 servers to allow detection and remediation of active intrusions. Moreover, since multiple state-sponsored and financially motivated hack groups continue to use DDNS domains in network intrusion activity, users should block all TCP/UDP network traffic involving the DDNS subdomain and log them through DNS RPZ or similar. Users should also block and log all domains using eznowdns[.]com as an authoritative nameserver.


The report, Recorded Future, highlighted a series of suspected targeted intrusions against the Indian power sector that the organization started observing in mid-2020. A China-linked activity group that the organization tracked, RedEcho, conducted these intrusions.

The group heavily used AXIOMATIC SYMOP TOTE, a term used to track infrastructure that comprises ShadowPad C2s, shared between numerous Chinese threat activity groups, including APT41/Barium, the Icefog Cluster, Tonto team, KeyBoy, and Tick.

Notably, the intrusions overlap with past Indian energy sector targeting by China-based threat activity groups in the last year that also used AXIOMATIC ASYMPTOTE infrastructure. Hence, the focus in targeting the Indian electricity system possibly points out a sustained strategic intent to access the Indian energy sector.

As bilateral tensions continue to rise, there are expectations that we would see a continued increase in cyber operations by China-based hacker groups such as RedEcho, in line with the national strategic interest.

While economic recovery from the coronavirus pandemic impact would be a priority for both China and India, the increasing kinetic and rhetoric escalation of border tensions suggests a clear mistrust and uncertainty within each government.

It is worth highlighting that China and India’s relations have deteriorated significantly following border clashes in May 2020. It resulted in the first combat deaths in 45 years between the two most populous countries across the globe. Consequently, on January 12, 2021, the Indian foreign minister, Subrahmanyam Jaishankar, announced that China and India’s trust is ‘profoundly disturbed (10).’

Even though the economic and diplomacy factors have effectively prevented a full-blown war, notable recently with the bilateral disengagement at the border, cyber operations would continue to offer nations with powerful asymmetric capabilities to pre-position within networks conduct espionage for potentially disruptive reasons.

However, the Recorded Future stated in the report that even though there are some overlaps with previously detected APT41/Barium-linked activity and possible further overlaps with Tonto Team activities, there is not enough evidence to firmly attribute the activity, in particular, India’s power sector targeting to either group. It would continue to track it as a closely related but distinct China-based hacker activity group, RedEcho.

About Recorded Future and Insikt Group

Recorded Future is the largest provider of intelligence for enterprise security across the globe. By combining persistent and pervasive automatic data collection and human analytics analysis, Recorded Future offers timely, accurate, and actionable intelligence.

In ever-increasing chaos and uncertain world, Recorded Future empowers enterprises with the visibility they require to find and detect threats faster, take proactive action to disrupt adversaries, and protect their phones, systems, and assets so they can conduct their business with confidence.

It is worth highlighting that more than 1,000 businesses and government agencies from all across the world trust Recorded Future.

Insikt Group, the threat research arm of Recorded Future, comprises world-class subject-matter experts in technical threat intelligence and foreign adversary tactics, techniques, and procedures (TTP). It includes analysts and security researchers with deep government and industry experience and native foreign language skills (11).

Is China Warning India?

The Recorded Future’s discovery is the latest example of conspicuous malware placement in a country’s electric grid or other critical infrastructure that has turned into the latest form of deterrence and aggression, like a warning that if things are pushed too far, millions can suffer (12).

According to retired Lt. Gen. D. S. Hooda, a cyber expert who oversaw the Indian borders with China and Pakistan (13), ‘China is signaling to indicate that we can and have the capability to do it in times of a crisis. It is sending us a warning that the capability exists with them.’

Both nations have medium-size nuclear arsenals, traditionally seen as the ultimate deterrent. However, neither India nor China believes that the other would risk a nuclear exchange in response to bloody disputes over the LAC. In this ill-defined border demarcation, long-running disputes have surged into deadly conflicts because of increasingly nationalistic governments.

Cyberattacks offer them another option, which is less devastating than a nuclear attack but can give a country a strategic and psychological edge. Notably, Russia was a pioneer in the technique when it turned off the power twice in Ukraine several years before.

The United States has also engaged in similar signaling. After the Department of Homeland Security publicly acknowledged that a code inserted by Russian hackers littered the American power grid, the United States also put code into Russia’s grid as a warning to its President, Vladimir V. Putin (14).

Now, the Biden Administration has committed that within weeks, it would respond to other intrusions. It will not call it an attack from Russia yet, one that penetrated at least nine government organizations and more than 100 corporations.

So far, the evidence also suggests that the SolarWinds hack, named for the firm that made network management software that was hijacked to insert the code. It was chiefly about stealing the data. However, it also created the capability for far more destructive attacks. Companies that downloaded the Russian code were also several American utilities. These firms maintain that they have managed the incursions, and there was no risk to their operations.

Until recently, China was more focused on information theft. However, the country has been increasingly active in placing code into infrastructure, knowing that an attack’s fear is as powerful as an attack itself upon discovery.

There have been no comments regarding the matter from the center and other government officials in India’s case. There has also been no response from the Chinese government regarding questions about the code in the Indian grid.

Cyberattacks in India So Far

However, China can argue that India started cyber aggression. In India, last February, a patchwork of state-backed hackers was caught using coronavirus-themed phishing emails to target China-based organizations. A China-based security firm, 360 Security Technology, accused Stated-backed Indian hackers of targeting medical research organizations and hospitals with phishing emails in an espionage campaign.

After four months, as tensions surged between the two nations on the border, Chinese hackers unleashed a swarm of 40,300 hacking attempts on Indian technology and banking infrastructure in only five days. According to the Maharashtra police India, some of these incursions were so-called denial-of-service attacks that knocked their systems offline; others were phishing attacks.

By December, the Cyber Peace Foundation (15), an Indian non-profit organization that follows hacking reports, security experts reported a new wave of Chinese attacks. In this case, hackers sent phishing emails to Indians related to the Indian holidays in October and November.

Researchers linked the attacks to domains registered in China’s Henan and Guangdong Provinces to an organization named Fang Xiao Quing. The Foundation stated that the aim behind these attacks was to get a beachhead in Indian devices for future attacks.

According to Vineet Kumar, the Founder and President of the Cyber Peace Foundation (16), ‘it seems that one of the intentions was power projection.’

Since the previous year, the Foundation also documented a rise of malware directed at the Indian power sector, from petroleum refineries to nuclear power plants. Since it is impossible for the Recorded Future or the Foundation to examine the code, there is no clarity whether they are looking at the same attacks. However, the timing is the same.

However, according to the Indian officials, except for the Mumbai blackout, the attacks have not disrupted the energy provision. And even there, officials went quiet after initially determining that the code was most likely from China.

A police official in charge of the Maharashtra cyber intelligence unit, Yashasvi Yadav, stated that ‘authorities have found ‘suspicious activity,’ suggesting a state actor intervention.’

However, he refused to explain further and stated that the investigation’s full report would be released in early March. A state government minister, Nitin Raut, quoted in local reports in November, blamed sabotage for the Mumbai outage. However, he did not make any comments on questions about the blackout.

The Indian Military experts have renewed calls for the government to replace Made in China hardware for the Indian power sector and another critical rail system (17).

General Hooda stated that ‘the issue is India still hasn’t been able to get rid of its dependence on foreign software and hardware (18).’

According to the Indian government officials, a review is underway regarding the country’s information technology contracts, including China-based organizations. However, in reality, ripping out existing infrastructure is difficult and expensive.

Author’s Note

Apart from a power outage, the future nightmare scenario could be disabling trains, water supply, and financial networks combined with a physical attack, creating a new sense of vulnerability.

Even though it may sound like hyperbole, these recent incidents in India and worldwide indicate that Cyber warfare is already a reality. The United States, Russia, China, and even Iran are increasingly raising their digital warriors in the thousands.

According to cybersecurity experts, China has more than 40,000 strong cyber soldiers with another 200,000 hackers who serve as support groups (19). According to the available data, Russia has more than 10,000 cyber warriors.

It raises a logical question: how secure are India’s cyber borders? Has the country kept up with the threat and prepared defense and response?

Experts rate in the Indian cybersecurity is poor, especially those working with the government to raise awareness. It seems like even these ordinary Chinese cyber attacks can easily succeed on the country’s critical infrastructure.

It is also worth highlighting that China had been perfecting its cyber craft since the year 2000 while our previous government was napping. Compared to China’s massive 100,000 hacker army, the Indian Defense Cyber Agency has about 1,000 hackers (20).

In the short-term, India can request Israeli and Taiwanese assistance to mitigate the damage from Chinese cyberattacks to some extent. Still, it is now the time for India to develop its capabilities, which would need a sound investment and a decade.

While India aims for big projects like Digital India and Make in India, as our GDP increases, our vulnerability to cyber attacks is also increasing. Hence, India needs to develop a potent infrastructure to counter China.

Click here to download the full Future Recorder report.