Alleged China-linked APT41 group targets Indian critical infrastructures

Recorded Future researchers uncovered a campaign conducted by Chinese APT41 group targeting critical infrastructure in India.

Security researchers at Recorded Future have spotted a suspected Chinese APT actor targeting critical infrastructure operators in India. The list of targets includes power plants, electricity distribution centers, and seaports in the country.

The attacks surged while relations between India and China have deteriorated significantly following border clashes in May 2020.

Recorded future tracked the APT group as “RedEcho” and pointed out that its operations have a significant overlap with the China-linked APT41/Barium actor.  Experts noticed that at least 3 of the targeted Indian IP addresses were previously hit by APT41 in a November 2020 campaign aimed at Indian Oil and Gas sectors.

“Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese statesponsored groups. From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector.” reads the analysis published by Recorded Future. “Using a combination of proactive adversary infrastructure detections, domain analysis, and Recorded Future Network Traffic Analysis, we have determined that a subset of these AXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups, including APT41 and Tonto Team.”

Despite the overlap, Recorded Future continues to track the group as a distinct actor.

Recorded Future experts collected evidence of cyber-attacks against at least 10 Indian power sector organizations, including 4 Regional Load Despatch Centres (RLDC) responsible for the operation of the power grid and other two unidentified Indian seaports.

The alleged China-linked APT group alto targeted a high-voltage transmission substation and a coal-fired thermal power plant.

Researchers identified 21 IP addresses associated with 10 distinct Indian organizations in the power generation and the transmission sector that were targeted as part of this campaign. Experts determined that two additional critical infrastructures targeted by the group that were in the maritime industry.

“The targeting of these critical power assets offer limited economic espionage opportunities, but pose significant concerns over potential pre-positioning of network access to support other Chinese strategic objectives,” conclude the expert. “Despite some overlaps with previously detected APT41/ Barium-linked activity and possible further overlaps with Tonto Team activity, we currently do not believe there is enough evidence to firmly attribute the activity in this particular Indian power sector targeting to either group and therefore continue to track it as a closely related, but distinct, activity group, RedEcho.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT41)

[adrotate banner=”5″]

[adrotate banner=”13″]