Cyber Incident Victim: India
Date:
Feb 2021
Location:
India
Summary
A Chinese state-sponsored threat activity group targeted multiple Indian State Load Despatch Centres responsible for real-time grid control and electricity dispatch, primarily located in northern regions near the disputed Ladakh border. The attackers employed ShadowPad malware, leveraging compromised internet-facing DVR/IP camera devices for command and control, alongside open-source tools like FastReverseProxy. This campaign, distinct from prior RedEcho operations but similarly focused on critical infrastructure, also compromised a national emergency response system and a logistics firm. The activity aligns with long-term strategic objectives, likely aimed at pre-positioning within operational networks to facilitate future contingency operations or gather intelligence on critical systems rather than immediate economic espionage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 8 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2021, Recorded Future's Insikt Group identified cyber intrusions targeting operational assets within India's power grid, attributed to a likely Chinese state-sponsored threat group tracked as RedEcho. The activity focused on compromising critical infrastructure organizations, including four of India's five Regional Load Despatch Centres (RLDCs), two ports, and a major power generation operator. These intrusions occurred amid ongoing border tensions between India and China in the Ladakh region, though troop disengagement began that same month. The attackers employed modular backdoor malware and operational infrastructure later abandoned following Recorded Future's public reporting. Analysis indicated limited traditional espionage value in these targets, suggesting objectives centered on pre-positioning within critical systems rather than immediate intelligence collection or disruption.
Following a brief operational pause after the initial disclosure, renewed targeting emerged against at least seven Indian State Load Despatch Centres (SLDCs) responsible for real-time electricity grid management. These SLDCs were concentrated in northern India near the disputed Ladakh border, with one having been previously compromised during RedEcho's campaign. The new intrusions, clustered under the temporary designation TAG-38, affected an almost entirely different set of victims than those in the 2021 activity. Attackers compromised internet-facing DVR/IP camera devices to establish command-and-control infrastructure for ShadowPad malware deployments and utilized FastReverseProxy (FRP) tools. Concurrently, the same threat group breached a national emergency response system and an Indian subsidiary of a multinational logistics firm. Recorded Future detected these activities through automated network traffic analysis combined with expert review of data from SecurityTrails, PolySwarm, and Team Cymru's Pure Signalâ„¢ platform. The firm notified relevant Indian government departments prior to public disclosure to support incident response and remediation efforts. While tactical overlaps existed with prior RedEcho operations, technical evidence prevented direct attribution to that group. Separate Chinese-linked activity tracked as TAG-26 also targeted Indian managed service providers and OT vendors using ShadowPad, Poison Ivy, and RoyalRoad RTF payloads during this period, demonstrating sustained interest in critical infrastructure networks despite reduced border tensions.