In early March, Recorded Future’s Insikt Group published a report titled China-Linked Group RedEcho Targets the Indian Power Sector, which detailed China’s targeting of ten different Indian organizations within the energy sector, specifically the power generation and transmission sector and two from the maritime sector.
In the Insikt Group assessment, there are “significant concerns over pre-positioning of network access to support China’s strategic objectives.” It is within this context of Indo-Sino relations that a bit of geographic realpolitik is in order.
Indo-Sino Relations
India and China peacefully (mostly) share thousands of miles of border amidst the world’s most inhospitable terrain, nestled in the Himalayan mountain range. The last shooting war between the two nations occurred in 1962, and resulted in a good chunk of the border declared in dispute; a mutually agreed upon “Line of Actual Control” was created.
These nuclear nations saw their peaceful coexistence evaporate in June 2020 when Chinese troops attacked an Indian patrol within the disputed area in the Galwan Valley of India’s Sikkim state. This attack can only be described as a bare-knuckle brawl – fists, stones and nail-studded bamboo poles were used. When the dust settled, more than 20 Indian soldiers had died, including the Indian commanding officer of the patrol, who was pushed off the mountainside to his death.
In the ensuing months, troop buildups have occurred on both sides, and the low-intensity conflagrations, which have consisted of shouting matches and stone throwing, have also escalated.
The trigger for the Indo-Sino disputes finds its root in infrastructure. China blames India for triggering the June 2020 incidents by building a new road to a high-altitude air base. Meanwhile, further to the east, we see China following through on their fourteenth Five-Year plan, which states as a development goal the building of a mega-dam along the Brahmaputra River, as it’s called in India (aka Yarlung Zangbo River in China). This mega-dam will have a deleterious effect on water supply to the 1,856 kilometers between the Chinese border and the Bay of Bengal for both India and Bangladesh.
China’s RedEcho sent a clear signal to India that, while China may engage in fisticuffs along the line of control, they were willing to escalate the low-intensity conflict into the cyber domain targeting India’s infrastructure.
We talked with Recorded Future’s Insikt Group about the RedEcho activity to learn if neighboring nations, or those involved with the Chinese Belt and Road Initiative, were similarly engaged by RedEcho, and learned that the attacks have “been exclusively focused on Indian targets.” With the publication of the report on March 1, the Insikt Group noted that activity “gradually ceased and the last communication identified between the victim organizations and the RedEcho infrastructure was on March 2, 2021.”
The Insikt Group added that the RedEcho team “parked large amounts of their infrastructure, likely in response to the public reporting and incident response efforts.” They opined, “It remains to be seen how the group’s longer term M.O. will evolve following publication, but we believe it is likely that they will attempt to use other methods to attempt to maintain persistent access to the targeted organizations. This highlights the need for a full incident response effort for affected organizations to ensure the group does not maintain other means of network access.”
National Infrastructure
Cyberattacks against national infrastructure are neither unique nor new in a global context.
Dr. Christopher Ahlberg, CEO and co-founder, Recorded Future, tells us, “The impact of a cyberattack targeting the critical infrastructure of a country, whether for espionage or malicious activity, has the potential to be catastrophic with long-term repercussions. We have long seen cyber efforts from China aimed around strategic policies and initiatives, and this campaign from RedEcho is no exception. Accurate and actionable intelligence is vital for preempting such attacks and proactively disrupting adversaries both within an organization and across a nation.”
Chris Blask, global director, applied innovation at Unisys, said, “The findings about RedEcho are another indication that the trend towards using cyber means against national infrastructure for political ends continues to follow its multi-decade curve.”
“Nation-states should continue to develop processes, such as seen in the NERC CIP series of regulations, for lessons,” Blask said. “The timing of NERC CIP 13 last October requiring supply chain strategies for critical electrical operators, the SolarWinds attack, and the Feb. 24, 2021 executive order from U.S. president Joe Biden creating a 100-day window for federal departments to develop supply chain security strategies can be seen as an indication of areas for those working on national defense systems to focus.”
The U.S. focus on supply chain security, especially in the context of national security interests, is further evidenced by two separate projects worthy of approbation: the Digital Bill of Materials (DBoM) architecture and the Software Bill of Materials (SBoM) initiative led by the Department of Commerce.
RedEcho Next Steps
The next steps for India are to have the targeted entities and those organizations with responsibility for protecting India’s national infrastructure – Indian CERT, Ministry of Power and the National Critical Information Infrastructure Protection Centre (NCIIPC) dig in and conduct their analysis.
It is likely that internal investigations into RedEcho already are ongoing. The Insikt Group has “encourage[d] affected parties to collaborate and share findings to further understand the full extent of RedEcho’s activity.”
This content was originally published here.