2 March 2021   4 comments

A cybersecurity organization, Recorded Future, has released a report which suggests, but does not conclude, that China launched a cyberattack on India’s electrical grid system which resulted in a temporary blackout of electricity to the city of Mumbai last October. The Executive Summary of the report asserts:

“Relations between India and China have deteriorated significantly following border clashes in May 2020 that resulted in the first combat deaths in 45 years between the world’s two most populous nations. As a result, on January 12, 2021, India’s foreign minister Subrahmanyam Jaishankar announced that trust between India and China was “profoundly disturbed.” While diplomacy and economic factors have been effective in preventing a full-blown war, notable most recently with the bilateral disengagement at the border, cyber operations continue to provide countries with a potent asymmetric capability to conduct espionage or pre-position within networks for potentially disruptive reasons.

“Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups. From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector. 10 distinct Indian power sector organizations, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other targets identified included 2 Indian seaports.

“Using a combination of proactive adversary infrastructure detections, domain analysis, and Recorded Future Network Traffic Analysis, we have determined that a subset of these AXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups, including APT41 and Tonto Team.

“Despite some overlaps with previous groups, Insikt Group does not currently believe there is enough evidence to firmly attribute the activity in this particular campaign to an existing public group and therefore continue to track it as a closely related but distinct activity group, RedEcho.”

The full report is available to anyone who wishes to register to Recorded Future and it is a very detailed and well-documented report, but also full of technical jargon that is difficult for me to assess. The New York Times summarizes some of the findings in an article entitled “China Appears to Warn India: Push Too Hard and the Lights Could Go Out”. The Indian press was quick to blame China for the attack:

“Thousands of cyber attacks had been witnessed in a period of four to five days in June this year on the Information, Banking and Infrastructure sectors in the country.

“The Maharashtra Cyber department had said after thorough analysis and investigation it has been found that all these attacks generated from China and were targeted at some of the most crucial sectors.

“Special Inspector General of Police, Yashasvi Yadav, Maharashtra Cyber Intelligence Cell had then said, ‘We at the Maharashtra Cyber department have collated information that in the Indian cyberspace there has been a sudden surge since past four to five days where attacks have happened on major sectors from China. These sectors include Information, Infrastructure and Banking. There has been a minimum of 40300 probes or cyber attacks for which we have gathered information as of now.’

“He added, ‘These cyber-attacks or hacking attempts are happening from the Chengdu area of China. Chengdu is the capital of southwestern China’s Sichuan province. These can be divided into three categories which are Denial of service attacks.'”

Needless to say, the Chinese have denied that they were responsible for the attack: “The relevant allegations are pure rumors and slanders. Cyber attacks are highly complicated and sensitive, and their origin is difficult to trace. Speculation and fabrication have no role to play on the issue of cyber attacks. It is highly irresponsible to accuse a particular party when there is no evidence. China is firmly opposed to such irresponsible and ill-intentioned practice.”

It is unlikely that there will be a definitive determination of what actually happened in India. But there is no question that the cyber attack is something which states cannot ignore and raise the stakes in any possible future crisis. Cyber activity is now firmly established as an instrument of war and diplomacy. The Center for Strategic and International Studies has complied a very long list of previous cyberwarfare activities which can be accessed here.

Posted March 2, 2021 by vferraro1971 in World Politics

4 responses to “2 March 2021

Subscribe to comments with RSS.

  1. Why using ambiguous sentence : “…. which suggests, but does not conclude …”
    Why not make sure?


    • The article lacks definitive proof for the proposition and therefore fails to come to the conclusion. We are all free to interpret the ambiguous data, but the author of the article chooses not to. I actually admire authors who do not claim more than the evidence proves.


      • I doubt if mass media in a country dare to tell the truth if that truth contrary to their own national interests.
        Social media in my country also get the news about Chinese cyber attack to India. But I’m still thinking critically as follows:
        1) What if someone sends a computer expert to China, or pays someone who being in China to do cyber attack to India, so that the attacker’s IP address is detected (as if it is) from China.
        2) Who have the top capability on the top level? He must be the creators of the computer system and programming itself.
        3) I think the border case between India and China is still at the level of a “boxing ring” without weapons, and it has been resolved properly by both parties. I’m just surprised that it was positioned as the GREAT news, and then followed by (lacks definitive proof) cyber attack news in adjacent time. It seems that this is some kind of scenario in forming an alibi (if not called a proxy war). In colonial times, one of the ways to weaken the resistance of colonized countries was to play the politics of “divide et impera”.

        I’m just thinking critically. You may not agree with me.


  2. There are several social media sites in the US that are quite critical of US policies (https://www.motherjones.com/) (https://jacobinmag.com/) (https://theintercept.com/) (https://www.alternet.org/) (https://www.antiwar.com/). But your point about mass media is probably correct.
    You raise very good questions about the difficulties in tracing the source of cyberattacks, and that is why it is impossible to conclusively identify a Chinese source in the cyberattack on India. But no one questions the ability of many in China to launch such attacks. It is also very difficult to ascribe official sanction for cyberattacks–no government would allow one of its computers to be used in an attack on another state. But there are plenty of unofficial links between private and governmental sources.
    Whether the border disputes between India and China (there are several) are “resolved” remains to be seen. They have festered for quite some time and there are no signed agreements firmly establishing borders in the disputed areas. I hope that you are correct in thinking that this particular dispute will calm down.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: