China-linked RedEcho APT took down part of its C2 domains

China-linked APT group RedEcho has taken down its attack infrastructure after it was exposed at the end of February by security researchers.

China-linked APT group RedEcho has taken down its attack infrastructure after security experts have exposed it. At the end of February, experts at Recorded Future have uncovered a suspected Chinese APT actor targeting critical infrastructure operators in India. The list of targets includes power plants, electricity distribution centers, and seaports in the country.

The attacks surged while relations between India and China have deteriorated significantly following border clashes in May 2020.

Recorded future tracked the APT group as “RedEcho” and pointed out that its operations have a significant overlap with the China-linked APT41/Barium actor.  Experts noticed that at least 3 of the targeted Indian IP addresses were previously hit by APT41 in a November 2020 campaign aimed at Indian Oil and Gas sectors.

“Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese statesponsored groups. From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector.” reads the analysis published by Recorded Future. “Using a combination of proactive adversary infrastructure detections, domain analysis, and Recorded Future Network Traffic Analysis, we have determined that a subset of these AXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups, including APT41 and Tonto Team.”

Despite the overlap, Recorded Future continues to track the group as a distinct actor.

Recorded Future experts collected evidence of cyber-attacks against at least 10 Indian power sector organizations, including 4 Regional Load Despatch Centres (RLDC) responsible for the operation of the power grid and other two unidentified Indian seaports.

The alleged China-linked APT group alto targeted a high-voltage transmission substation and a coal-fired thermal power plant.

Researchers identified 21 IP addresses associated with 10 distinct Indian organizations in the power generation and the transmission sector that were targeted as part of this campaign. 

A couple of weeks after the publication of the report, experts at the Insikt Group noticed that RedEcho has now taken down part of its domain infrastructure that was used to control ShadowPad backdoor that was deployed inside the networks of the Indian targets.

More specifically, RedEcho has now parked web domains it previously used to control ShadowPad malware inside the hacked Indian power grid, and which Recorded Future ousted in its report. Experts believe that the APT group was only moving its C2 infrastructure elsewhere after it was uncovered by the researchers.

“The most recently identified victim communications with RedEcho infrastructure was from an Indian IP address on March 11, 2021 to the RedEcho IP 210.92.18[.]132,” the Insikt Group told to TheRecord website.

“This is likely due to a combination of defensive measures taken by targeted organizations to block published network indicators and the aforementioned steps taken by the group to move away from publicized infrastructure.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RedEcho)

[adrotate banner=”5″]

[adrotate banner=”13″]