Chinese state-sponsored threat actors are engaged in a long-term cyberattack against India’s powerline operators, cybersecurity researchers are claiming.
Experts from Insikt Group discovered that seven Indian State Load Dispatch Centers (SLDC), that maintain the power grid in real-time, have all been compromised with a trojan.
All of them are apparently located in Ladakh, a region administered by India as a union territory, having been disputed between China, Pakistan, and India since the end of World War II.
Chinese denials
The trojan in use is called ShadowPad, and allegedly, it’s often used by threat actors with links to China’s Ministry of State Security. According to the researchers, the group behind the attack is known as Threat Activity Group 38. They managed to compromise internet-connected endpoints (opens in new tab) such as IP cameras, thanks to default login credentials which were most likely left unattended.
"The group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of ShadowPad malware infections, as well as use of the open source tool FastReverseProxy (FRP)," opined Insikt Group in its report.
The attackers’ intention wasn’t to destroy the infrastructure, at least not yet. Rather, they were more interested in intelligence gathering and cyber-espionage. That’s one of the reasons, it seems, why they were able to maintain their presence without being seen for so long.
> NCSC gives more advice for those using VPNs hit by Chinese cybercriminals (opens in new tab)
> Cyber-attackers will 'seek to disrupt' Olympics, says minister (opens in new tab)
> The pandemic is a racecourse for many a Trojan horse (opens in new tab)
The Chinese denied any involvement. Speaking to The Register, Chinese foreign spokesperson Zhao Lijian said the country keeps to the letter of the law and “firmly opposes” all forms of cyberattacks. One should be "all the more prudent when associating cyberattacks with the government of a certain country," he was cited saying.
Researchers from Insikt added that besides grid assets, the attackers impacted a national emergency response team, as well as a subsidiary of a logistics company.
- Protect your premises from state-sponsored attackers with the best firewalls around (opens in new tab)
Via: The Register (opens in new tab)