Four months later and over 1,500 kilometers away, in Mumbai, the rains stopped and the stock exchange closed due to a power outage in a city of 20 million people. Hospitals had to switch to emergency generators to run ventilators amid a coronavirus outbreak that was among the worst in India.
Now, a new study lends weight to the idea that these two events may have been linked – part of a massive Chinese cyber-campaign against India’s electricity grid, programmed to send a message that if India insisted too hard on his assertions, the lights might go out. Across the country.
The study shows that, as battles raged in the Himalayas, claiming at least two dozen lives, Chinese malware was pouring into the control systems that manage the power supply across India, as well as ” a high voltage transmission substation and a coal-fired power station.
The malware flow was pieced together by Recorded Future, a Somerville, Mass., Company that studies Internet use by state actors. He found that most malware was never activated. And since Recorded Future couldn’t penetrate India’s power systems, it couldn’t examine the details of the code itself, which was placed in strategic power distribution systems across the country. Although he has notified Indian authorities, so far they are not reporting what they have found.
Stuart Solomon, COO of Recorded Future, said the Chinese state-sponsored group, which the company has named Red Echo, “has been seen to routinely use advanced cyber intrusion techniques to quietly gain a foothold. in nearly a dozen critical nodes across India. electricity generation and transmission infrastructure. ”
The discovery raises the question of whether a blackout that struck on Oct. 13 in Mumbai, one of the country’s busiest business centers, was supposed to be a message from Beijing about what could happen if India pushed too vigorously its demands to the border.
Reports from the time cited Indian officials as saying the cause was a Chinese-born cyberattack on a nearby electrical charge management center. Authorities have launched an official investigation, which is to be reported in the coming weeks. Since then, Indian officials have remained silent on the Chinese code, whether it triggered the Mumbai power outage, and the evidence provided by Recorded Future that many parts of the country’s power grid were the target. of a sophisticated Chinese hacking effort.
It is possible that Indians are still looking for the code. But recognizing its insertion, noted a former Indian diplomat, could complicate diplomacy in recent days between Chinese Foreign Minister Wang Yi and his Indian counterpart, Subrahmanyam Jaishankar, in an effort to ease border tensions.
Investigators who wrote the Recorded Future study, which is expected to be released Monday, said the “alleged link between the outage and the discovery of unspecified malware” in the system “remains unfounded.” But they noted that “additional evidence suggested the coordinated targeting of Indian load balancing centers,” which are balancing electricity demands in parts of the country.
This discovery is the latest example of how the visible placement of malware into an adversary’s power grid or other critical infrastructure has become the new form of aggression and deterrence – a warning that if things are pushed too far, millions of people could suffer.
“I think the reporting is being made ‘by China to indicate’ that we can and have the capacity to do it in times of crisis,” said retired Lieutenant General DS Hooda, a cyber expert who oversaw India’s borders with Pakistan. and China. “It’s like sending a warning to India that this ability exists with us.”
India and China both have medium-sized nuclear arsenals, which are traditionally viewed as the ultimate deterrent. But neither side believes the other would risk a nuclear swap in response to bloody disputes over the actual line of control, an ill-defined border demarcation where long-standing disputes have turned into deadly conflicts by governments. more and more nationalist.
Cyber attacks offer them another option – less devastating than a nuclear attack, but capable of giving a country a strategic and psychological advantage. Russia was a pioneer in the use of this technique when it cut the power twice in Ukraine several years ago.
And the United States has embarked on a similar signal. After the Department of Homeland Security publicly announced that the U.S. electricity grid was littered with code inserted by Russian hackers, the United States put code into the Russian grid in a warning to President Vladimir Putin.
Now, the Biden administration promises that within weeks it will respond to yet another intrusion – it won’t call it an attack yet – from Russia, one that has penetrated at least nine government agencies and more than 100 businesses.
Evidence so far suggests that the hack of SolarWinds, the name of the company that created the network management software that was hijacked to insert the code, was primarily about information theft. But it also created the capacity for much more destructive attacks – and among the companies that downloaded the Russian code there were several American utilities. They claim that the incursions were managed and that there was no risk to their operations.
Until recent years, China had focused on information theft. But Beijing has been increasingly active in placing code in infrastructure systems, knowing that when discovered, the fear of an attack can be as powerful a tool as an attack itself.
In the Indian case, Recorded Future sent its findings to the Indian Computer Emergency Response Team, or CERT-In, a sort of investigation and early warning agency that most countries maintain. to track threats to critical infrastructure. On two occasions, the center acknowledged receipt of the information, but did not say whether it had also found the code in the power grid.
The New York Times’ repeated efforts to solicit comment from the center and several of its officials over the past two weeks have not yielded any response.
The Chinese government, which did not respond to questions about the code in the Indian grid, could argue that India triggered the cyber attack. In India, a patchwork of state-backed hackers were surprised using coronavirus-themed phishing emails to target Chinese organizations in Wuhan last February. A Chinese security firm, 360 Security Technology, has accused Indian state-backed hackers of targeting hospitals and medical research organizations with phishing emails, as part of a spy campaign.
Four months later, as tensions mounted between the two border countries, Chinese hackers unleashed a swarm of 40,300 hack attempts on India’s technology and banking infrastructure in just five days. Some of the inroads were so-called denial of service attacks that took these systems offline; others were phishing attacks, Maharashtra police said.
In December, security experts from the Cyber Peace Foundation, an Indian nonprofit that tracks hacking efforts, reported a new wave of Chinese attacks, in which hackers sent emails of phishing to Indians linked to the Indian holidays of October and November. Researchers linked the attacks to domains registered in China’s Guangdong and Henan provinces, to an organization called Fang Xiao Qing. The objective, according to the foundation, was to obtain a foothold in the Indian apparatuses, possibly for future attacks.
“One of the intentions seems to be the projection of power,” said Vineet Kumar, president of the Cyber Peace Foundation.
The foundation has also documented a wave of malware directed at India’s power sector, from oil refineries to a nuclear power plant, since last year. Since it is impossible for the foundation or for Recorded Future to examine the code, it is difficult to know if they are considering the same attacks, but the timing is the same.
Yet, with the exception of the Mumbai power outage, the attacks did not disrupt the energy supply, officials said.
And even there, officials remained silent after initially determining that the code was likely Chinese. Yashasvi Yadav, a police official in charge of Maharashtra’s cyber intelligence unit, said authorities discovered “suspicious activity” suggesting the intervention of a state actor.
But Yadav declined to give more details, saying the full investigation report would be released in early March. Nitin Raut, a state government minister cited in local reports in November accusing the sabotage of the Mumbai blackout, did not answer questions about the blackout.
Military experts in India have renewed their calls on Prime Minister Narendra Modi’s government to replace Chinese-made equipment for India’s power sector and its critical rail system.
“The problem is, we still haven’t been able to shake off our reliance on foreign hardware and software,” Hooda said.
Indian government officials said a review was underway on India’s information technology contracts, including with Chinese companies. But the reality is that dismantling existing infrastructure is expensive and difficult.