Suspected Chinese hackers are targeting India’s power grid

It's the continuation of a years-long trend.
Smoke from a fire that broke out at the Ghazipur landfill darkens the sky on the backdrop of high-tension electricity pylons on the outskirts of New Delhi on March 28, 2022. (Photo by MONEY SHARMA/AFP via Getty Images)

Hackers likely affiliated with the Chinese government have been going after North India’s power supply, according to a report by Recorded Future.

Researchers observed “likely” network intrusions of at least seven state centers that carry out real-time grid control and electricity dispatch, according to the Wednesday evening report.

The activity has been concentrated in North India, where China has clashed with India over disputed territory on the Himalayan border. Other activities by the same hacking group included the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company. 

Hackers likely gained access to the dispatch centers by compromising internet-facing camera devices, researchersHackers used compromised IOT devices as a control and command center to communicate with the infected networks. Researchers weren’t able to pinpoint the initial vector for how the malware got into the networks.


Researchers saw similar attacks between mid-2020 and February 2021 when both China and India agreed to pull forces from the dispute. At the time, researchers attributed attacks on 10 different Indian power sector organizations, two ports and a large generation operator to a Chinese state-sponsored group called “RedEcho.”

The activity has been concentrated in North India, where China has clashed with India over disputed territory on the Himalayan border.

The new activity shows some overlaps with RedEcho, but researchers were not able to definitely tie the group to the attack. Both RedEcho and the unidentified group use a malware known as ShadowPad, which has been linked with several suspected Chinese government-connected hacking groups, including the prominent China-linked group called APT41. APT41 has in the past targeted Indian officials.

In contrast to much activity associated with Chinese state-sponsored actors, the campaign caught by Recorded Future “offers limited economic espionage or traditional intelligence-gathering opportunities,” the researchers write. Instead, the consistent activity represents that gathering information on India’s energy systems is “likely a long-term strategic priority for selection of Chinese state-sponsored threat actors.”

China’s Foreign Ministry spokesman Zhao Lijian told reporters Thursday that China “firmly opposes and combats any form of cyberattacks, and will not encourage, support or condone any cyberattacks,” the Associated Press reported.


“I would like to advise the company concerned that if they really care about global cybersecurity, they should pay more attention to the cyberattacks by the U.S. government hackers on China and other countries, and do more to help promote dialogue and cooperation among countries, instead of using the cyberattack issue to stir up trouble and throw mud at China,” Lijian said.

The Chinese embassy did not immediately respond to CyberScoop’s request for comment.

Corrected 4/7/22: to reflect that researchers found that hackers used vulnerable IoT devices as command and control centers for the malware. They were not the vector for infecting the power center networks.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts