Cyber Incident Victim: Port Facility
Date:
Oct 2020
Location:
India
Summary
A massive power outage in Mumbai disrupted critical services including hospitals, trains, and financial markets, with evidence suggesting cyber-sabotage by a China-linked threat actor known as RedEcho. The group targeted ten power sector organizations and two maritime entities using tactics overlapping with other Chinese advanced persistent threats, deploying malware like ShadowPad through infrastructure linked to AXIOMATICASYMPTOTE. Security firm Recorded Future attributed the campaign to China’s strategic interests, potentially aligning with geopolitical tensions and infrastructure initiatives such as the Belt and Road Initiative. While Indian state authorities acknowledged possible cyberattacks and initiated investigations, both national power officials and Chinese representatives denied the malware’s operational impact and dismissed the allegations respectively.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 12, 2020, a major power outage disrupted Mumbai’s critical infrastructure, halting transportation networks, healthcare services, and financial operations. The blackout affected hospitals, trains, and the stock exchange, causing widespread operational paralysis across the metropolitan area. Initial investigations by Maharashtra state authorities revealed anomalies suggesting possible cyber sabotage, prompting the state’s Home Minister Anil Deshmukh to request a formal report from the Maharashtra Cyber Cell. Energy Minister Nitin Raut publicly acknowledged findings from a cybersecurity study indicating the incident might involve deliberate cyberattacks rather than technical failures. Security firm Recorded Future later identified a coordinated campaign by the China-linked threat actor RedEcho, which targeted 10 Indian power sector organizations and two maritime port facilities in the months surrounding the outage. The group deployed malware linked to ShadowPad servers through infrastructure designated as AXIOMATICASYMPTOTE, focusing on regional load dispatch centers responsible for grid stability.
Recorded Future’s analysis revealed tactical overlaps between RedEcho and other Chinese state-sponsored groups like APT41/Barium, suggesting a broader strategic objective aligned with China’s geopolitical interests, including the Belt and Road Initiative. The campaign’s timing coincided with heightened military tensions between India and China along their disputed border in 2020. Retired Lt Gen DS Hooda characterized the incident as a deliberate warning from China, emphasizing its potential to escalate during crises. While India’s Ministry of Power denied any malware-induced disruptions to grid operations, China’s Foreign Ministry dismissed the allegations as unfounded. The event drew international attention due to parallels with Russian cyber operations against Ukrainian infrastructure, underscoring vulnerabilities in critical systems. Maharashtra’s government continued reviewing technical evidence to confirm the cyber intrusion’s scope and origins amid calls for enhanced infrastructure safeguards.