Explained: China’s Cyber Attack On India’s Power Grid Amid Ladakh Standoff; May Even Have Caused Blackout In Mumbai 

A new study by Recorded Future, a cybersecurity company based in Massachusetts, says Chinese state-sponsored groups targeted India’s power grid and could have been behind the electricity blackout in Mumbai, in October 2020, when India and China were locked in a military standoff in eastern Ladakh, the worst in over four decades.

The report, available here, says that the Recorded Future’s Insikt Group tracked a steep rise in targeted intrusion activity against Indian power generation and transmission infrastructure from Chinese state-sponsored groups.

It notes that a “concerted campaign” was launched against large swathes of India’s power sector, targeting at least 10 Indian power sector organisations, including four of the five Regional Load Despatch Centres in the country responsible for the integrated operation of India’s power grid, including balancing electricity supply and demand to maintain a stable grid frequency.

“In total, we identified 21 IP addresses resolving to 10 distinct Indian organizations in the power generation and transmission sector that were targeted,” the report by Recorded Future says.

Recorded Future was able to track targeted attacks against 12 Indian entities, all of which qualify as critical infrastructure according to the National Critical Information Infrastructure Protection Centre definition.

Apart from the power grid, targets include Mumbai and Tuticorin ports.

The targeting of India’s critical infrastructure, which this report says began sometime around mid-2020, amid the military standoff with China, could have been aimed at sending a message to India, a report in the New York Times says.

In November 2020, little over a month after the blackout in Mumbai, reports in the Indian media, based on the findings in a preliminary investigation by Maharashtra’s cyber department, said the massive power outage in India’s financial capital could have been caused by cyberattacks originating from China.

While Indian authorities have remained silent on the issue since, the findings in this report provide additional evidence to support the claim.

The report found evidence which proves that Chinese state-sponsored groups placed malware in India’s electricity grid and other critical infrastructure. Most of the malware was never activated, the report says, adding that the “pre-positioning [of malware] on energy assets may support several potential outcomes, including geo-strategic signaling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation”.

Recorded Future has shared its findings with India’s Computer Emergency Response Team, or CERT-In, a cybersecurity agency responsible for investigation and early-warning. While CERT has acknowledged the receipt of information from Recorded Future at least twice, it has not shared its own assessment.

“Power is a very sensitive and strategic sector...we have to guard it against any sabotage by countries which are adversaries or possible adversaries,” India’s Power Minister, R K Singh, had said in June 2020, a few months before the blackout in Mumbai, with an indirect reference to China.

Just days later, Xiang Ligang, head of the Beijing-based Information Consumption Alliance, a telecom industry association, had said that it was “technically possible” to target Indian power grid and “cause partial network paralysis”.

This isn’t the first time China is being accused of placement of malware in an adversary’s electric grid. Cybersecurity groups in India, including the Cyber Peace Foundation, have noted a surge of malware directed at India’s power sector.

Concerns have also been raised in the US, Australia and other countries.

In 2014, Admiral Michael Rogers, the then head of the National Security Agency and the US Cyber Command, warned that China had the capability to shut down US’ power grid and other critical infrastructure. In Australia, experts have called for investigations into Chinese state involvement in Australia’s power grid.

Interestingly, Recorded Future says it had observed that “suspected Indian state-sponsored group Sidewinder” had targeted Chinese military and government entities in 2020, hinting that New Delhi may have been responding to Chinese provocations on the cybersecurity front to deter Beijing.