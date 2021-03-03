Photo: Krisztian Bocsi / Bloomberg Photo: Krisztian Bocsi / Bloomberg

At least one open link by Chinese state-sponsored hackers to an Indian port network system is still active, even though authorities block attempts to infiltrate the South Asian country’s electricity sector, according to the US firm that warned officials.

As of Tuesday, Recorded Future could see a ‘handshake’ – indicating a traffic swap – between a China-linked group and an Indian seaport, said Stuart Solomon, the firm’s chief executive. Recorded Future calls the RedEcho group and says it targeted up to 10 entities under India’s power grid, as well as two seaports when the company first announced India’s Computer Emergency Response Team on February 10th. Most of these connections were still functional as recently as February 28, Solomon said.

“There is still an active link between the attacker and the attacker,” Solomon said, referring to the port. “It’s still happening.”

A spokesman for the Ministry of Electronics and Information Technology of India was not immediately available for comment. “Without any evidence, slander against a specific party is irresponsible behavior and a bad intention,” Chinese Foreign Ministry spokesman Wang Wenbin said in Beijing on Wednesday.

Interventions in India’s critical infrastructure have been going on since at least the middle of last year, according to Recorded Future, which marks the start of a bloody clash between Indian and Chinese soldiers at a border post in the Himalayas.

Since then, authorities across India’s federal and state governments have been arguing over whether a cyber attack was responsible for the October collapse of the power grid supplying Mumbai, a intersection which brought the financial center to a standstill for several hours, affecting stock markets, transportation networks and thousands of households.

Registered Future, a privately held Boston-based cyber security firm tracking malicious activity by nation-state actors has made no connection or allegation between the surveillance traffic under RedEcho and Mumbai intersection. But, Solomon said, “it is not uncommon to see this kind of technique used by nation states as an instrument of national power.”

“It can be as simple as trying to direct impact operations to be able to signal to the people or the government that at any given time they have power that can be used against them,” he added.

Indian federal officials have denied any cyber attack, but say malware was found. The National Center for the Protection of Critical Information Infrastructure emailed the Energy System Operation Center Corp. regarding the threat from RedEcho on February 12, the Energy Ministry said in a statement Tuesday. The dispatcher center employees close the control functions that allow the switches to operate remotely. They changed user credentials and isolated vulnerable devices.

Investigators from the state of Maharashtra, which hosts Mumbai, will present their findings to local lawmakers Wednesday.

Regarding The power of Mumbai intersection by October 12, initial information suggested 14 Trojan Horses, which is a malicious code, and 8 gigabytes of uncalculated foreign data could have been transferred to the main electricity board, said Anil Deshmukh, the interior minister of Maharashtra, on Monday. He added that the IP addresses listed in black had been attempted to be identified on the board servers. He did not attribute the attack to any country or entity.

The 10 infiltrated RedEcho entities make up nearly 80% of India’s land mass from an electricity coverage perspective, Solomon said. Interventions could have remained unexposed and undetected until needed as leverage, he said.

“If he had intended to remove the lights, he would have removed the lights,” Solomon said. “He did not.”

– With the help of Dhwani Pandya, Sudhi Ranjan Sen and Lucille Liu