Chinese state-sponsored groups intruded into the computer networks of at least a dozen Indian state-run organisations, mainly power utilities and load dispatch centres, since mid-2020 in an attempt to insert malware that could cause widespread disruptions, according to a new study.

Among the organisations that were targeted were NTPC Limited, the countrys largest power conglomerate, five key regional load dispatch centres that help in the management of the national power grid by balancing electricity supply and demand and two ports, says the study by Recorded Future, a US-based company that tracks the use of the internet by state actors for cyber-campaigns.

All 12 organisations would qualify as critical infrastructure, according to the Indian National Critical Information Infrastructure Protection Centres (NCIIPC) definition. The activity apparently began much before the clashes between Indian and Chinese troops in May 2020 that triggered the border standoff in Ladakh sector of the Line of Actual Control, and there was asteep rise from the middle of last year in the use of a particular software used by Chinese state-sponsored groups to targeta large swathe of Indias power sector, Recorded Future said in its report.

The report further said the alleged intrusions by the Chinese groups, some with known links to the Ministry of State Security (MSS), or Chinas main intelligence and security agency, and the Peoples Liberation Army (PLA), were not limited to the power sector. There were apparent efforts to target numerous government and defence organisations, the report said.

In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations. The PlugX activity included the targeting of multiple Indian government, public sector, and defense organizations from at least May 2020, the report said. PlugX has beenheavily used by China-nexus groups for many years, and throughout the rest of 2020, Recorded Futures investigatorsidentified a heavy focus on the targeting of Indian government and private sector organizations by multiple Chinese state-sponsored threat activity groups.

Recorded Future identified the Chinese group involved in the intrusion activity as Red Echo and said it had strong overlaps in terms of both the technology it uses and its victims with other groups such as APT41/Barium and Tonto Team that have been involved in similar cyber-campaigns.

The 12 organisations targeted by Red Echo were Power System Operation Corporation Limited, NTPC Limited, NTPCs Kudgi power plant, Western Regional Load Dispatch Centre, Southern Regional Load Dispatch Centre, North Eastern Regional Load Dispatch Centre, Eastern Regional Load Dispatch Centre, Telangana State Load Dispatch Centre, Delhi State Load Dispatch Centre, the DTL Tikri Kalan (Mundka) sub-station of Delhi Transco Ltd, VO Chidambaranar Port and Mumbai Port Trust.