Since the beginning of 2020, Recorded Future’s Insikt team has observed a significant increase in intrusions by Chinese government-sponsored organizations against India. Recorded Future indicated that from mid-2020, the use of AXIOMATICASYMPTOTE’s infrastructure has increased dramatically, including ShadowPad command and control (C2) servers, aimed at the Indian power industry.
There are 10 different power sector organizations in India, including 5 Regional Load Dispatching Centers (RLDC), which are responsible for grid operation by balancing power supply and demand. They have been identified as targets for coordinated actions aimed at India’s critical infrastructure. Other targets identified include two Indian seaports.
Using a combination of infrastructure detection, domain analysis, and network traffic analysis, it was determined that a subset of these AXIOMATICASYMPTOTE servers shared some common TTPs with some previously reported Chinese government-funded organizations. Organizations include APT41 and Tonto group.
In recent years, as India’s economic and geopolitical ambitions seek to compete with China, it has highlighted the increasingly fierce competition between the two most populous countries in the world. Since May 5, 2020, the Indian and Chinese forces have had several skirmishes at the border between China and India.
For example, we observed that Sidewinder, a suspected Indian state-supported organization, targeted Chinese military and government entities in 2020, and its activities overlapped with Trend Micro’s recent research.
Before the skirmish in May 2020, we observed a significant increase in the supply of PlugX malware C2 infrastructure, most of which was subsequently used in intrusions against India. PlugX activities include targeting multiple Indian government, public sector and defense organizations starting at least May 2020. Although PlugX is not unique to Chinese cyber espionage activities, PlugX has been used extensively by related organizations in China for many years. In the remainder of 2020, we have discovered that many Chinese state-backed threat activists have targeted the Indian government and private sector organizations as a top priority.
ShadowPad is a modular backdoor that was first discovered in the Netsarang compromise in 2017. This invasion was later blamed on APT41 (BARIUM) by FireEye. Although ShadowPad was initially considered exclusive to APT41, since the end of 2019, more Chinese organizations have begun to use ShadowPad in network intrusion activities. We estimate that the sharing of ShadowPad is widespread in groups affiliated to the Ministry of National Security (MSS) and groups affiliated to the People’s Liberation Army (PLA), and it is likely that there is a centralized ShadowPad developer responsible for maintaining and updating the tool.
RedEcho TTPs and Recorded Future data sourcing graphic