Cyber Incident Victim: Union Power Ministry
Date:
Oct 2020
Location:
India
Summary
A massive power outage affecting critical infrastructure in Mumbai, including hospitals, trains, and financial systems, was linked to suspected cyber activity by a China-associated threat group known as RedEcho. The incident targeted ten power sector organizations and maritime entities, with forensic analysis revealing tactics overlapping other Chinese cyber operations and the use of ShadowPad malware infrastructure. While Indian authorities acknowledged preliminary findings of potential cyber sabotage, the national power ministry denied operational impacts from malware, and China dismissed the allegations. Security researchers assessed the campaign as strategically motivated, potentially aligning with geopolitical tensions and infrastructure interests in the region.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 12, 2020, a major power outage disrupted Mumbai, impacting hospitals, trains, and the stock exchange. The Maharashtra State government later acknowledged a study suggesting foreign cyber sabotage as the cause. Energy Minister Nitin Raut confirmed the outage might involve cyberattacks after Maharashtra Cyber Cell’s preliminary report indicated possible malicious interference. Security firm Recorded Future identified a campaign by China-linked group RedEcho targeting India’s power sector between mid-2020 and early 2021. The group focused on 10 power sector organizations, including regional load dispatch centers critical to grid operations, and two maritime sector entities. Their methods involved deploying ShadowPad malware through AXIOMATICASYMPTOTE servers, with tactics overlapping those of Chinese advanced persistent threat group APT41/Barium.
The campaign coincided with heightened India-China border tensions in 2020. Recorded Future’s analysis suggested RedEcho’s activities aligned with China’s strategic interests, potentially linked to geopolitical disputes over infrastructure projects like the Belt and Road Initiative. Retired Lt Gen DS Hooda characterized the incident as a strategic warning from China, drawing parallels to Russian cyber operations against Ukraine. India’s Ministry of Power denied any malware impact on operational systems, while China’s Foreign Ministry dismissed the allegations as unverified speculation. The Maharashtra Home Ministry sought further investigation through its cyber department, underscoring concerns over vulnerabilities in critical national infrastructure. The incident highlighted systemic risks to India’s power grid and maritime assets from coordinated cyber intrusions.