A new study tips that the Mumbai power outage last year, which was said to the worst power failure in decades, may have its links to the India and China border tensions. The report adds that the mega Mumbai power outage may be the result of a cyber attack from China in an attempt to give a sign to India not to press too hard.
The report cited by The New York Times claims that when the Indians and Chinese soldiers were having a faceoff at the border, the malware was being injected into the control systems that are responsible for electric supply across India. Notably, this is not the first report that hints at China’s cyberattack that led to the Mumbai power outage. On October 12 last year, Mumbai faced a massive power outage that lasted for a few hours starting from 10 am, however, the issue was resolved by noon.
In November 2020, there were reports that during the initial investigation by Maharashtra cyber department, they traced the infusion of malware at the Padgha-based state load dispatch centre.
The NYT report says that the malware tracing was done by Recorded Future, a cybersecurity company founded in 2009 with headquarters in Somerville, Massachusetts. The company claims that most of the malware was not activated, which may mean that a small proportion of malware caused the Mumbai power outage. However, the report adds that the cybersecurity company couldn’t examine the code itself because of the restrictions, which meant it could not get inside India’s power systems. The report says that the cybersecurity company notified Indian authorities.
The company has named the Chinese state-sponsored group RedEcho which is more than likely to be blamed for the Mumbai power outage.
The report quotes Stuart Solomon, chief operating officer of Recorded Future, who said the RedEcho “has been seen to systematically utilize advanced cyber intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”
In a blog post published Recorded Future, the company has put down its observations about targeted intrusion activity against Indian authorities. “Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups. From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector. 10 distinct Indian power sector organizations, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for the operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other targets identified included 2 Indian seaports,” the company said.
The cybersecurity company does point that despite some overlaps with previous groups, there isn’t enough evidence to attribute the Mumbai power outage to an existing hacker group. However, it will “continue to track it as a closely related but distinct activity group, RedEcho.”
The cybersecurity company says it has sent its findings to Indian Computer Emergency Response Team (or CERT-In) within the Ministry of Electronics and Information Technology of the Government of India. It adds that the government has acknowledged the receipt twice, though there has been no confirmation of the fact that the code infected in the power grid may have any links with China-based hackers.
