Suspected China-linked hackers targeted India’s energy sector, research suggests

China may be trying to send a signal to India, analysts say.
India flag
A cricket fan waves the flag of India. (Greg Wood/AFP via Getty Images)

A hacking group with suspected ties to China has been targeting entities in the power generation and distribution sector in India, according to Recorded Future research published Sunday.

The group, which Recorded Future is calling “RedEcho,” has targeted 10 power sector organizations in India since mid-2020, including four of five regional load dispatch centers that balance electricity supply and demand, according to the research. The attackers have also targeted at least two Indian seaports, Recorded Future says.

RedEcho has targeted Indian energy assets using command and control infrastructure linked with a malware known as ShadowPad, which has been linked with several suspected Chinese government-connected hacking groups.

The identity of the hackers behind RedEcho is unclear.


Infrastructure and targeting activity that Recorded Future observed, though, overlaps with a China-linked group called APT41, analysts said. The group, which has previously used ShadowPad malware, has ties to China’s civilian intelligence agency, the Ministry of State Security (MSS), according to the U.S. Department of Justice, and is often tasked with targeting telecommunications companies, social media companies, software development firms and non-profit entities.

APT41 has recently targeted medical and defense entities as well.

Recorded Future says the group targeting India’s energy assets also appears to have links with another China-linked group called Tonto Team, a group that has typically gone after energy and defense targets in East Asia. Tonto Team reportedly has links with the Chinese People’s Liberation Army, the security firm FireEye said in prior findings.

The India-focused hacking operation could have been intended to allow intruders to lurk on India’s power assets as a “show of force,” analysts suggested, amid border clashes between India and China, which in recent months have turned violent.

The research is raising fresh questions about whether cyber means caused a power outage in Mumbai in October. Last fall, Indian authorities questioned whether Chinese hackers were responsible for the outage, which left hospitals, trains and businesses at a standstill for hours, according to local news outlets.


Indian authorities have formed three committees to investigate and are slated to reveal their findings this week, according to Maharashtra Energy Minister Nitin Raut. Raut said Monday the Recorded Future findings lay bare some truth about the outage in Mumbai, though he failed to be more specific.

Recorded Future does not draw an explicit connection between the RedEcho targeting and the Mumbai outage, but suggests the hackers have been targeting load dispatch centers in India in a coordinated manner.

“At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated,” the Recorded Future report states. “However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres.”

Chinese government-linked hackers have gone after targets in India before, according to an analysis published by the Departments of Defense and Homeland Security last fall. Hackers linked with Beijing have targeted law enforcement and government entities in India before, for instance, according to previous Recorded Future research.

The New York Times first reported on Recorded Future’s findings on Sunday.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts