New Delhi: Amidst the recent border stand-off between India and China, it was hacker groups with links to Chinese government that targeted India's critical power grid and two major vaccine-makers through malwares, overseas cybersecurity firms revealed.
On Monday, Reuters, quoting cyber intelligence firm Cyfirma, said that the Chinese hacking group APT10, also known as Stone Panda, in recent weeks targeted the IT systems of Bharat Biotech and the Serum Institute of India (SII), whose coronavirus shots are being used in the country's immunisation campaign.
On the other hand, Recorded Future, a Massachusetts-based company which studies the use of the internet by state actors, in its recent report detailed the campaign conducted by a China-linked threat activity group RedEcho targeting the Indian power sector.
The reports came as the armies of the two countries began disengagement of troops locked in over eight-month-long standoff in eastern Ladakh.
Mumbai blackout an attack?
Recorded Future report has raised suspicion whether last year's massive power outage in Mumbai was a result of the online intrusion.
The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. Data sources include the Recorded Future Platform, SecurityTrails, Spur, Farsight and common open-source tools and techniques, the report said.
On October 12, a grid failure in Mumbai resulted in massive power outages, stopping trains on tracks, hampering those working from home amidst the COVID-19 pandemic and hitting the stuttering economic activity hard.
It took two hours for the power supply to resume for essential services, prompting Chief Minister Uddhav Thackeray to order an enquiry into the incident.
In its report, Recorded Future notified the appropriate Indian government departments prior to publication of the suspected intrusions to support incident response and remediation investigations within the impacted organisations.
There was no immediate response from the Indian government on the study by the US company.
Since early 2020, Recorded Future's Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organisations from the Chinese state-sponsored group.
The New York Times, in a report, said that the discovery raises the question about whether the Mumbai outage was meant as a message from Beijing about what might happen if India pushed its border claims too vigorously.
In response to the allegation, Chinese Foreign Ministry spokesman Wang Wenbin on Monday rejected the criticism about China's involvement in the hacking of India's power grid, saying it is irresponsible and ill-intentioned to make allegations without proof.
"China is a staunch upholder of cybersecurity. We firmly oppose and fight any kind of cyber-attacks, he said," replying to a question on the report of the cyber-attack on the Indian power grid.
"It is hard to track the origin of the cyber-attacks. You cannot make wanton guesses or smear a specific country without any proof. This is irresponsible and ill-intentioned. China firmly opposes such behaviour," he said in Beijing.
'Attack to gain competitive advantage'
Goldman Sachs-backed Cyfirma, based in Singapore and Tokyo, said the Stone Panda had identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India (SII), the world's largest vaccine maker.
Rivals China and India have both sold or gifted COVID-19 shots to many countries. India produces more than 60% of all vaccines sold in the world.
"The real motivation here is actually exfiltrating intellectual property and getting competitive advantage over Indian pharmaceutical companies," said Cyfirma Chief Executive Kumar Ritesh, formerly a top cyber official with British foreign intelligence agency MI6.
He said APT10 was actively targeting SII, which is making the AstraZeneca vaccine for many countries and will soon start bulk-manufacturing Novavax shots.
"In the case of Serum Institute, they have found a number of their public servers running weak web servers, these are vulnerable web servers," Ritesh said, referring to the hackers.
"They have spoken about weak web application, they are also talking about weak content-management system. It's quite alarming."
China's foreign ministry did not immediately reply to a request for comment.
SII and Bharat Biotech declined to comment. The government-run Indian Computer Emergency Response Team, with whom Cyfirma said it had shared its findings, had no immediate comment.
The U.S. Department of Justice said in 2018 that APT10 had acted in association with the Chinese Ministry of State Security.
Microsoft said in November that it had detected cyber attacks from Russia and North Korea targeting COVID-19 vaccine companies in India, Canada, France, South Korea and the United States. North Korean hackers also tried to break into the systems of British drugmaker AstraZeneca, Reuters has reported.
Ritesh, whose firm follows the activities of some 750 cyber criminals and monitors nearly 2,000 hacking campaigns using a tool called decipher, said it was not yet clear what vaccine-related information APT10 may have accessed from the Indian companies.
Bharat Biotech's COVAXIN shot, developed with the state-run Indian Council of Medical Research, will be exported to many countries, including Brazil.
US drugmaker Pfizer Inc and its German partner BioNTech SE said in December that documents related to development of their COVID-19 vaccine had been "unlawfully accessed" in a cyberattack on Europe's medicines regulator.
Massive Chinese attack
According to the Recorded Future report, from mid-2020 onwards, Recorded Future's midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India's power sector.
Ten distinct Indian power sector organisations, including four of the five Regional Load Despatch Centres responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India's critical infrastructure.
Other targets identified included two Indian seaports, it said, adding the targeting of Indian critical infrastructure offers limited economic espionage opportunities.
However, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.
Pre-positioning on energy assets may support several potential outcomes, including geostrategic signalling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation, it said.
RedEcho has strong infrastructure and victimology overlaps with Chinese groups APT41/Barium and Tonto Team, while ShadowPad is used by at least five distinct Chinese groups, it said.
The high concentration of IPs resolving to Indian critical infrastructure entities communicating over several months with a distinct subset of AXIOMATICASYMPTOTE servers used by RedEcho indicate a targeted campaign, with little evidence of wider targeting in Recorded Future's network telemetry, it said.
Recorded Future said in the lead-up to the May 2020 border skirmishes, it observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organisations.
The PlugX activity included the targeting of multiple Indian government, public sector and defence organisations from at least May 2020, it said.
While not unique to Chinese cyber espionage activity, PlugX has been heavily used by China-nexus groups for many years.
Throughout the remainder of 2020, we identified a heavy focus on the targeting of Indian government and private sector organisations by multiple Chinese state-sponsored threat activity groups, it said.
Recorder Future alleged that it also observed the suspected Indian state-sponsored group Sidewinder target Chinese military and government entities in 2020, in activity overlapping with recent Trend Micro research.
(With inputs from PTI and Reuters)