China launched a cybercampaign hit againstIndias power grid targeting Mumbai on October 13 last year, in a warningmessage after the tension at Ladakh border.
The New York Times reported that a new studylends weight to the idea that those two events may have been connected - aspart of a broad Chinese cyber campaign against India's power grid, timed tosend a message that if India pressed its claims too hard, the lights could goout across the country.
"The study shows that as the battlesraged in the Himalayas, taking at least two dozen lives, Chinese malware wasflowing into the control systems that manage electric supply across India,along with a high-voltage transmission substation and a coal-fired powerplant", NYT said.
The report said the flow of malware waspieced together by Recorded Future, a Somerville, Massachusetts, company thatstudies the use of the internet by state actors. It found that most of themalware was never activated.
"And because Recorded Future could notget inside India's power systems, it could not examine the details of the codeitself, which was placed in strategic power-distribution systems across thecountry. While it has notified Indian authorities, so far they are notreporting what they have found", NYT said.
Stuart Solomon, Recorded Future's chiefoperating officer, said that the Chinese state-sponsored group, which the firmnamed Red Echo, "has been seen to systematically utilize advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen criticalnodes across the Indian power generation and transmission infrastructure."
The discovery raises the question aboutwhether an outage that struck on October 13 in Mumbai, one of the country'sbusiest business hubs, was meant as a message from Beijing about what mighthappen if India pushed its border claims too vigorously, NYT said.
It added that news reports at the time quotedIndian officials as saying that the cause was a Chinese-origin cyberattack on anearby electricity load-management center. Authorities began a formalinvestigation, which is due to report in the coming weeks. Since then, Indianofficials have gone silent about the Chinese code, whether it set off theMumbai blackout and the evidence provided to them by Recorded Future that manyelements of the nation's electric grid were the target of a sophisticatedChinese hacking effort.
NYT said the investigators who wrote theRecorded Future study, which is set to be published Monday, said that "thealleged link between the outage and the discovery of the unspecifiedmalware" in the system "remains unsubstantiated." But they notedthat "additional evidence suggested the coordinated targeting of theIndian load dispatch centers," which balance the electrical demands acrossregions of the country.
"I think the signaling is beingdone" by China to indicate "that we can and we have the capability todo this in times of a crisis," said retired Lt. Gen. D.S. Hooda, a cyberexpert who oversaw India's borders with Pakistan and China. "It's likesending a warning to India that this capability exists with us", NYTquoted.
In the Indian case, Recorded Future sent itsfindings to India's Computer Emergency Response Team, or CERT-In, a kind ofinvestigative and early-warning agency most nations maintain to keep track ofthreats to critical infrastructure. Twice the center has acknowledged receiptof the information, but said nothing about whether it, too, found the code inthe electric grid, NYT said.
Repeated efforts by The New York Times toseek comment from the center and several of its officials over the past twoweeks yielded no response.
In India, a patchwork of state-backed hackerswere caught using coronavirus-themed phishing emails to target Chineseorganizations in Wuhan last February. A Chinese security company, 360 SecurityTechnology, accused state-backed Indian hackers of targeting hospitals andmedical research organizations with phishing emails, in an espionage campaign.
Four months later, as tensions rose betweenthe two countries on the border, Chinese hackers unleashed a swarm of 40,300hacking attempts on India's technology and banking infrastructure in just fivedays. Some of the incursions were so-called denial-of-service attacks thatknocked these systems offline; others were phishing attacks, according to thepolice in Maharashtra, as per NYT.
Yashasvi Yadav, a police official in chargeof Maharashtra's cyber-intelligence unit, said authorities found"suspicious activity" that suggested the intervention of a stateactor.
But Yadav declined to elaborate, saying theinvestigation's full report would be released in early March. Nitin Raut, astate government minister quoted in local reports in November blaming sabotagefor the Mumbai outage, did not respond to questions about the blackout, NYTreported.