Chinese state sponsored actors  may have deployed malware into Indian power grids and seaports as border tensions between India-China began escalating in May last culminating in a deadly clash along the Line of Control (LAC) in mid June. The alleged cyber intrusion was discovered and revealed by U.S. cyber security and intelligence firm Recorded Future,  the New York Times, which broke the story, reported.  An October 12 grid failure in Mumbai may have been caused by the Chinese malware, as per the report.

The Massachusetts based firm found that in the lead up to the clashes, they noticed an increase in malware targeting the government, defence organisations and the public sector. The Power Ministry confirmed that while attempts to breach systems were made, the power sector had not been impacted.

Also read: Mumbai faces major power cut due to ‘multiple tripping’ of supply lines

Recorded Future told The Hindu that there is still some evidence of ongoing intrusion although a significant amount of it has subsided recently.

“There is evidence that some of the intrusions remain ongoing, however a significant proportion of the activity appeared to cease in early to mid-February following notification,” a spokesperson for Recorded Future, Caitlin Mattingly, told The Hindu via email on Monday.

Also read: COVID-19 hospitals unaffected amid power outage in Mumbai

While the government has not contacted Recorded Future since the New York Times published its report, according to Ms Mattingly, the company had been in touch with the government prior to the report’s publication.

“We shared technical details of the intrusions with the Indian government that would allow them to identify and respond to the incidents. We are not an incident response firm and so do not directly typically investigate internal incidents in organizations,” Ms Mattingly said when asked if Recorded Future is helping the government patch up the vulnerabilities, which it alerted the government to soon after it noticed them.

Also read: ‘Mumbai cannot depend on Tata Power, AEML alone’

The intrusions which began in May 2020 continued throughout the year.

The New York Time’s report quoted Recorded Future COO Stuart Solomon as saying the Chinese state sponsored group (which the company calls ‘Red Echo’), “has been seen to systematically utilize advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”

Specifically, Recorded Future identified 21 IP addresses targeting 10 power organisations (RLDCs and SLDCs  –  Regional Load Despatch Centres and their State counterparts) and two seaports: the V.O. Chidambaranar Port and Mumbai Port Trust.  Other intrusions included a high voltage transmission substation and a coal-fired thermal power plant, as per Recorded Future.

The report links the malware attacks to a massive power outage in Mumbai and its suburbs last October which impacted hospitals, businesses, the stock market, homes and transport systems.

“ Additionally, local media reporting previously linked an October 2020 power outage in Mumbai to the identification of malware at a Padgha-based State Load Despatch Centre. At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated. However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres,” the report says.

 “The intrusions in May 2020 onwards, which were China-linked but separate to the RedEcho activity highlighted in the report, were all reported to the Indian government shortly after discovery,” the spokesperson said. Both the U.S. and Indian authorities had been informed and acknowledged receipt f the information and stated they would investigate the findings, she said.

China attacks report

China’s Foreign Ministry strongly hit out at the report, calling it “irresponsible”, and attacked it for not offering evidence.  “China firmly opposes and cracks down on all forms of cyber attacks,” spokesperson Wang Wenbin said. “Speculation and fabrication have no role to play on the issue of cyber attacks, as it is very difficult to trace the origin of a cyber attack.”

He said it was “highly irresponsible to accuse a particular party when there is no sufficient evidence around.” “China is firmly opposed to such irresponsible and ill-intentioned practice,” Mr. Wang said.

(With inputs from Ananth Krishnan)