India’s nodal agency to safeguard critical computer resources had informed the government about attempted intrusions by a Chinese state-sponsored group into segments of the country’s power infrastructure early last month, the Power Ministry said on Monday.

The Ministry’s statement followed a report by a cybersecurity company based in Massachusetts, United States, which noted a “steep rise” in the use of malware by a Chinese group called Red Echo to target India’s power sector organisations in 2020, when tensions between the two countries were high.

The contents of the study by Recorded Future were reported by The New York Times on Sunday. The report said the findings suggested a link between the Galwan clash of June 2020, and the grid disturbance that led to a massive power outage in Mumbai on October 12 last year.

The NYT report spoke of a “broad Chinese cybercampaign against India’s power grid”, timed as a “message from Beijing about what might happen if India pushed its border claims too vigorously”.

In Mumbai, Maharashtra Home Minister Anil Deshmukh appeared to agree with the theory of a foreign hand in the power outage. He told a press conference that preliminary findings of an investigation by the Maharashtra Cyber Police into last year’s power outage indicated that the “blackout of October 12 could probably have occurred” due to “attempts” by unidentified foreign agencies to hack the city’s electrical infrastructure.

Deshmukh did not provide details of when the hacking attempts took place. The power supply to Mumbai had shut down for several hours on that day, bringing the city to a grinding halt. Some parts had gone without electricity for nearly 24 hours.

The central Power Ministry statement said “no data breach/data loss” had been detected due to the attempted hack. There had also not been any impact on any of the functionalities carried out by the Power System Operation Corporation Ltd (POSOCO), which is in charge of ensuring the integrated operation of India’s power system, and facilitating the transfer of electric power within the country, the statement said.

The Ministry statement acknowledged the report by Recorded Future’s Insikt Group. It said the Ministry had received an email from the Indian Computer Emergency Response Team (CERT-In) on November 19, 2020, on the threat of a malware called ShadowPad “at some control centres of POSOCO”.

Subsequently on February 12, the National Critical Information Infrastructure Protection Centre (NCIIPC) had informed the Ministry about the use of ShadowPad by Red Echo.

“Chinese state-sponsored threat Actor group known as Red Echo is targeting Indian Power sector’s Regional Load Dispatch Centres (RLDCs) along with State Load Dispatch Centres (SLDCs),” the Ministry said in its statement, citing the NCIIPC’s letter.

“Some IP addresses and domain names were mentioned. The report of Insikt also refers the threat actors already informed by CERT-in & NCIIPC,” the statement said.

“Observations from all RLDCs & NLDC shows that there is no communication and data transfer taking place to the IPs mentioned.”

According to the Ministry, “prompt actions” are being taken by the Chief Information Security Officers at all the control centres under POSOCO’s operation “for any incident/advisory received from various agencies like CERT-in, NCIIPC, CERT-Trans etc”.

The Ministry statement did not clarify whether the attempts by Red Echo were responsible for the power outage in Mumbai on October 12.

At the press conference in Mumbai, Deshmukh said that “after the October 12 outage Energy Minister Nitin Raut had hinted at sabotage and requested for an investigation”.

“We subsequently asked the Maharashtra Cyber Police to investigate. A preliminary report submitted by them, which analysed the Maharashtra State Electricity Board’s Supervisory Control and Data Acquisition system, states that there is some evidence to point at probable cyber sabotage on MSEB servers,” Deshmukh said.

The investigation had found that 14 Trojans were used to insert malware into the MSEB server, Desmukh said. Also, 8 gigabyte of data from foreigns accounts had been transferred to the MSEB server, and there was evidence that attempts were made by blacklisted Internet Protocol companies to log onto MSEB servers, he said.

Deshmukh handed over the report to Energy Minister Raut at the press conference. “The inquiry report has given an indication that a malware was infected into the MSEB servers. However we can’t say which county is behind this at this point of time,” Deshmukh said. He mentioned the report by Recorded Future, but said he was only giving “references”.

Meanwhile, a spokesperson for the Chinese Foreign Ministry rejected as “highly irresponsible” the suggestion in The NYT report that Chinese hackers may have attacked the Indian power grid as a “warning” to New Delhi.

“As a staunch defender of cyber security, China firmly opposes and cracks down on all forms of cyber attacks. Speculation and fabrication have no role to play on the issue of cyber attacks, as it is very difficult to trace the origin of a cyber attack. It is highly irresponsible to accuse a particular party when there is no sufficient evidence around. China is firmly opposed to such irresponsible and ill-intentioned practice,” Ministry spokesperson Wang Wenbin said.