India’s Cyber Security and China
In the February end, an American organisation, Recorded Future, published a study entitled “China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions”, which got in the Indian media on March 1, 2021. The study was conducted by Recorded Future’s Insikt Group. The Insikt Group, in this study, finds that the Indian organisations have been under cyber-attack in 2020. The report illuminates the attack on 10 individual Indian power sector entities in the mid-2020s as the most worrisome event.
The report finds 21 IP addresses of these power sector organisations targeted. It also discovered that the Chinese hacking organisation—RedEcho—targeted several other entities as well. Of the non-power sector organisations, the attack on a couple of seaports and railways infrastructure is quite significant. All the organisations figure on the list or definition of the Indian National Critical Information Protection Centre. The October 2020 power grid failure is attributed to the Chinese cyber attack initiated by the RedEcho, though the study of the Recorded Future has left some caveats and has merely suspected the role of the Chinese hackers.
The report “revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector.” ShadowPad, is basically an innovative backdoor tool surreptitiously entrenched in a server controlling software, which helps a hacker or an attacker in downloading auxiliary malevolent modules and facilitating in stealing data.
ShadowPad, supposedly detected in 2017 by one of the anti-virus software companies, is used as one of the prime methods to target supply chains. Different studies have found that it makes several sectors of an economy highly vulnerable. However, the sectors such as banks and energy have been bearing its brunt the most. It had primarily targeted Netsarang software package used in many countries. The hacker modifies the current edition of the Netsarang software, produced and distributed for the global use.
NetSarang Computer, Inc. builds, promotes and maintains secure connectivity solutions since it was established in 1997. The software developer has its headquarters in the United States (US) and South Korea. Of all the solutions, the company is known for devising server management tools for big business networks. The company maintains headquarters in the United States and South Korea. In fact, Recorded Future’s Insikt Group mentions the 2017 compromise of the Netsarang in the study report of the Chinese cyber invasion of different Indian infrastructure facilities.
Trend Micro, a famous software company explains: “ShadowPad will call out to certain attacker-controlled domains and send the infected system’s information every eight hours. It’s also coded to call out to different domains every month. If the data sent to the attackers are of any interest, their command and control (C&C) servers will reply by triggering the backdoor’s routine to deliver additional payloads.”
ShadowPad is also operated by the Chinese government sponsored Winnti group, which has been in the hacking business since at least 2012. It is widely believed that the group’s principal objectives are both spying and profit. The group has developed its own malware for its malicious activities. Its style is dubbed as the complex attack methods. This particular group’s targets are well known and well identified. Therefore, it operates very cautiously only after conducting comprehensive reconnaissance.
The earlier reports of other IT studies indicate that this group has been attacking facilities and installations of not only India but also Japan, South Korea, Mongolia in Asia; Russia, Germany, and Belarus in Europe; Brazil in Latin America and the United States. Some reports expand the list of the target countries. As discussed, the favourite target area of ShadowPad has been sectors such as Banking and energy. The Winnti Group, apart from targeting these two financial sectors, has been targeting gaming, aerospace, telecom, pharmaceuticals, construction, education, software development and so on. The list could be longer if the assessments of different studies are taken into account. This has made the entire financial sector of the target countries highly vulnerable.
The Recorded Future’s Insikt Group, in the current report mentions that not less than 5 Chinese hacking groups are exploiting ShadowPad. These five actors are APT [Advanced Persistent Threats] 41, Tonto Team, the Icefog malware group, KeyBoy and Tick. The February/March 2021 report further explains the continuity of the Chinese cyber-attack by mentioning that the tool APT41 (BARIUM), used to plug in Netsarang in 2017, is still the important actor. ShadowPad, through which the official Chinese hackers operate, is associated with APT41. The Information Technology (IT) firm, the FireEye, had detected the role of APT41 in the Netsarang intrusion in 2017. The FireEye in one of its reports informed:
“APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cybercrime and cyber espionage operations from 2014 onward.”
Regarding Tonto Team, the Western governments and their think tanks have been highlighting the Chinese complicity in sponsoring this group, which has been targeting the countries such as Japan, Russia and South Korea for more than a decade. Some of the studies find close association of this group with the APT. Tonto Team has been incessantly using Bisonal malware, a Remote Access Trojan, to hack the entities of the countries. Its first version was known as ‘HeartBeat’.
Some of the operations of the Tonto Team was detected by Unit 42 that claims to be working as a global threat intelligence group at Palo Alto Networks to deal with cyber threats. Apparently, governments and industry both seek the help of Unit 42. It helps government and the companies in understanding the toolbox of the attack so that a preventive step is taken.
Time to time, other anti-hacker groups or anti-virus organisations have also been revealing the cyber-attack by the Tonto Team. For example, COSEINC and FireEye informed the world about the use of Bisonal malware in Japan in 2013. Similarly, AhnLab informed in 2017 that the Bisonal and its refined malwares such as Bioazih and Dexbia are being used to target organisations in India, South Korea, Japan, and Russia.
This malware lures its victims by offering highly significant appearing papers or documents; thereafter it infiltrates in the target’s network. China makes use of this group, too, for well-known or select targets. It does ‘operational intelligence gathering and espionage’ of these select or limited targets. Despite the protests lodged by the victim countries, the Group has not ceased its operation. Instead it refines its Bisonal malware to escape detection notwithstanding anti-campaign by the victim countries, including Russia. The Team had attacked Russian defence, telecommunication systems and data protection facilities.
The Tonto Team used and still possibly uses Hangul Word Processor, quite popular in South Korea and thus, enabling it to easily hack South Korean entities. For other countries, it uses other deceptions such as fake PDF icon and Microsoft Office Extension (.wll). A Windows Library is used to push the thread containing the code of the malware. The same style is followed in the first and even the latest version of the malware.
Icefog, is yet another malware group of the APT family, active since 2011. The very name is derived from the thread found in C&C server. This is also known as “Dagger Three” because of the translation from the Chinese language. This is also one of the backdoors that helps in transmitting data from a server. It could not be automatic exfiltration but it provides an ample opportunity to a hacker to manipulate the system to procure data or sabotage the entire network system.
Icefog operates through multiple downloadable malware, spear-phishing emails having attachments and links to websites and so on. There are numerous types of Icefog malwares. For example, the earlier 2011 Icefog version transmitted pilfered information by e-mail, whereas later versions interacted with C&C or proxy receiving the redirecting command. It targets the victims by exploiting the weaknesses in Microsoft Word and Excel documents as well.
Most of the studies indicate that this malware has been used generally for targeting governmental organisations, defence companies, naval entities, telecommunication companies, satellite and other high-technology companies in Taiwan, South Korea and Japan. Some media companies were also targeted by this group. Some of the prominent attacks of this group were on Fuji TV, Korea Telecom, Hanjin Heavy Industries, and so on.
However, some studies maintain that the reach of this group goes beyond Taiwan, South Korea and Japan. Even entities located in the US, Australia, Canada, United Kingdom, Italy, Germany, Austria, Singapore, Belarus, Malaysia and so on were attacked by this group. The IT intelligence groups do not confirm the precise number of attacks undertaken by this group.
KeyBoy is another Chinese group using backdoor technique for stealing information and sabotaging the system. It was first detected by the Rapid7 Group in 2013. It also has the same kind of operation as other APT groups have. It infects the system by planting the malware and takes control of the network. For the purpose, it also sends fake documents and lures the victims.
Thereafter, it sends its own messages. Some of its activities, which have been discovered are screen seizing or taking screenshots; collecting comprehensive system information on the operating system, disks memory, etc; rebooting commands after shutting down the system, and so on. Some fake MS word documents, used for the attack by this group, has been discovered by the study groups understanding the nature of the cyber-attack.
The KeyBoy has been mainly active against India, Vietnam and Tibet in the initial years. It targeted Tibetan Parliament as well. However, in later years, it supposedly targeted entities in the Western countries. The general assessment is that in the Western countries, its operation is focused for corporate espionage objectives, though no IT study group is sure of the complete operation of the activities of this group.
Tick is another threat group of the family that has been targeting poor or vulnerable supply chain security by altering the USB. Although this group has been existing for a long period and known with many names such as Bronze Butler and RedBald Knight, yet suddenly in 2018, it increased its activities. The Micro Trend has given a new name—Operation Endtrade– to its operation. This group has gradually been conducting a multi-stage malware attack.
The group’s tools are old positioned malware, adapted trappings for clouding the intention, new malwares to elude detection at the entry stage and grabbing administrative rights at the later stage for the series of attacks and information gathering for its campaign or attacks. Some studies have noticed the use of ‘legitimate email accounts and credentials’ for infecting a system with malwares. The reports indicate that the group has focused on defence, aerospace, chemical, and space sectors in Japan and elsewhere.
As mentioned, earlier, the Chinese official hacking has adopted a mixed method and target sector. It is targeting military sectors and increasingly targeting the financial sector of its rivals and even a friendly country like Russia. Economic espionage is becoming an important part of the general espionage; so, the Chinese shift should not be seen as an exception.
Moreover, all the studies are procuring data incrementally. As a result, it is causing surprise to some researchers. The FireEye itself in its various reports is highlighting changing tactics, techniques, and procedures, etc of the Chinese groups. The Recorded Future’s Insikt Group finds in its evaluation report that the current round of the attack on India may have been conducted by the hackers or hacking groups connected with the Chinese Military of State Security and People’s Liberation Army. The study also speculates the existence of ‘a centralised ShadowPad developer or quartermaster responsible for maintaining and updating the tool.’
Insikt Group has revealed the style of operation of RedEcho for attacking the Indian infrastructure. It found domain manipulation as the dominant tool for the attack. RedEcho also registered an authoritative, though uncommon, name server for the operation. Similarly, the hacking body used operational system of the Chinese domain and infrastructure. It also exploited dynamic Domain Name Service domains for its operative set-up. The Insikt Group has listed other instances of the domain manipulation by the Chinese group in the report.
As discussed, different IT study groups are active in securing more information on the Chinese hackers; they are trying to understand their malware toolsets. However, the most challenging task is to get a picture of overlapping or networking of the recognised Chinese spying operatives. The current report of the Recorded Future’s Insikt Group has also recognised the ‘widespread use’ of the ShadowPad. Earlier, it apparently had exclusive use. So, the possibility of the Chinese security agencies’ involvement in sabotaging or spying the financial sector ought not to surprise the world or the Indian strategic community.
The report finds that during the Chinese and Indian troops’ mobilisation in the Laddakh sector, there was a consistent rise in ‘provisioning of PlugX malware C2 infrastructure’. This arrangement was later used for attacking and penetrating the Indian entities. According the report, the Chinese government did not generally use PlugX malware for spying earlier but of late, the Chinese-nexus groups have started using this malware quite seriously. In fact, this aspect of the cyber-attack was endorsed/ underlined by another study conducted by Trend Micro Research.
However, the Indian establishment looked careful in responding to the report. The Ministry of Power commented, “There is no impact on any of the functionalities carried out POSOCO by [Power System Operation Corporation Limited] due to the referred threat. No data breach/ data loss has been detected due to these incidents.” The Indian government also did not confirm that the October 2021 Mumbai power outage was because of the Chinese cyber-attack.
The Indian government assures the nation and the Indian Parliament that its agencies like Indian Computer Emergency Response Team have played their role in protecting the critical infrastructure of the country. The central government also informed that because of the timely intervention the hacker had failed to procure any information from any one of the servers mentioned in the Recorded Future report. But the government of Maharashtra maintains that the October 2020 power failure was because of the cyber-attack.
The Insikt Group’s report suggests configuring the intrusion detection system and the intrusion prevention system to give proper defence to a network. It also suggests blocking the Transmission Control Protocol/ User Datagram Protocol flow through Dynamic Domain Name System. Instead, it recommends to use Domain Name Service Response Policy Zones. However, the group looks pessimist about stopping of the Chinese cyber-attacks. In a newer assessment released at the end of March 2021 informs that China is still trying to hack the crucial organisations, though the Chinese government is promising a crackdown on these hacking groups.
The Chinese cyber-attacks are telling an established geopolitical narrative. The proxy war involving state and non-state actors is being waged very dextrously by the Chinese government. The convergence of military and civilian objectives/ organisations is also evident in these cyber-attacks. The tool of the cyber attack is invisible virus. It has the capability to effect massive commotion. And because of this capability, the tools of cyber threats are also called Weapons of Mass Disruption.
An attack by a Chinese entity on India and any Western country may not be unusual because these countries are considered unfriendly to China but the serious and to an extent, an alarmist dimension in the entire episode is that China does not spare even its friend like Russia. China knows that if it wants to play its geopolitical game, it will have to learn to doggedly pursue its national interests. Possibly, it feels comfortable with the rogue elements such as Pakistan and North Korea.