Making sense of current hoopla on Cyber-Attack on Indian Power companies

Saaho

Senior member
Dec 27, 2019
2,220
1,653
Earth
So I heard some chatter on a so-called cyber-attack that resulted in a grid failure / blackout in Mumbai. The usual suspects in NYTimes were going gaga over it, so I decided to look into it a bit more and I will use this thread as a place holder for anything that I find.

1. Who detected this "attack"?
A certain company by name "Recorded Future". Its not exactly one of the known names in security which sells customer products and it claims to sell "platforms" and specializes in "China" Malware. As you will see further, most of the capabilities of this company is shrouded in mystery, much like its report.

2. What they are saying?
Using totally opaque terms they are claiming Chinese government and PLA hired some private cyber-espinage people who attacked Indian electric companies using a form of malware called "ShadowPad".

You can read about a real "ShadowPad" in this excellent writeup by Kesprasky's Lab and else where: ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World ,ShadowPad in corporate networks. Basically this malware is encrypted backdoor inserted in a legitimate software during software development / build process at the manufacturer/developer/vendor's end. The malware hence comes signed and sealed with very legitimate software. How do they do it? Most likely the compromised someone in the actual vendor's staff to insert this in build process OR they hacked the machines of that vendor. Given they are Chinese, I think the first is most likely way. This "ShadowPad" then uses DNS queries for C&C purposes (which is how it was found). There are more technical details BUT these should be enough.

While you read the above links, please keep in mind the level of technical details in these two articles. We will come to that later.

Now compare the above with what these folks at Recorded Future are saying :
1. They do not provide ANY clue on any malware actually found. They blame it one Indian government for not providing or not able to find any "codes".

2. Their publications lack ANY technical details besides names of domains being tyopsquatted by some Chinese companies. Most of these names are names of indian railways website, ntpc website etc.

3. They use totally opaque terminology like AXIOMATICASYMPTOTE for C&C infra supposedly used by Chinese. They give no further details about what they actually found besides the name and ipaddresses of these portals on github (funny! no code nothing on github!) Insikt-Group/Research

4. Lastly, as a mere conjecture they put these together with some timeline of Ladakh conflict and come to a conclusion that Mumbai power grid failure was a Chinese cyber attack (complete with a dark picture of a stock Indian and uniform draped Chinese soldier).

3. What seems to be reality?
Intrusion and recon is an ongoing business on internet. It is done for many reasons. Most of attempts at recon and intrusions fail. This is why there are always so many attempts. As such without any real evidence and technical details, "Recorded Future" seems to be similar to all those high fee seeking think tanks and consultants who produce glossy broucheres with no real facts. Was there an attempt to launch a "cyberattack" on India? Most likely yes BUT such attempts are always happening and always ongoing. Co-relating it with geopolitical events is more like reading tea-leaves, unless otherwise proven.
 
So I heard some chatter on a so-called cyber-attack that resulted in a grid failure / blackout in Mumbai. The usual suspects in NYTimes were going gaga over it, so I decided to look into it a bit more and I will use this thread as a place holder for anything that I find.

1. Who detected this "attack"?
A certain company by name "Recorded Future". Its not exactly one of the known names in security which sells customer products and it claims to sell "platforms" and specializes in "China" Malware. As you will see further, most of the capabilities of this company is shrouded in mystery, much like its report.

2. What they are saying?
Using totally opaque terms they are claiming Chinese government and PLA hired some private cyber-espinage people who attacked Indian electric companies using a form of malware called "ShadowPad".

You can read about a real "ShadowPad" in this excellent writeup by Kesprasky's Lab and else where: ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World ,ShadowPad in corporate networks. Basically this malware is encrypted backdoor inserted in a legitimate software during software development / build process at the manufacturer/developer/vendor's end. The malware hence comes signed and sealed with very legitimate software. How do they do it? Most likely the compromised someone in the actual vendor's staff to insert this in build process OR they hacked the machines of that vendor. Given they are Chinese, I think the first is most likely way. This "ShadowPad" then uses DNS queries for C&C purposes (which is how it was found). There are more technical details BUT these should be enough.

While you read the above links, please keep in mind the level of technical details in these two articles. We will come to that later.

Now compare the above with what these folks at Recorded Future are saying :
1. They do not provide ANY clue on any malware actually found. They blame it one Indian government for not providing or not able to find any "codes".

2. Their publications lack ANY technical details besides names of domains being tyopsquatted by some Chinese companies. Most of these names are names of indian railways website, ntpc website etc.

3. They use totally opaque terminology like AXIOMATICASYMPTOTE for C&C infra supposedly used by Chinese. They give no further details about what they actually found besides the name and ipaddresses of these portals on github (funny! no code nothing on github!) Insikt-Group/Research

4. Lastly, as a mere conjecture they put these together with some timeline of Ladakh conflict and come to a conclusion that Mumbai power grid failure was a Chinese cyber attack (complete with a dark picture of a stock Indian and uniform draped Chinese soldier).

3. What seems to be reality?
Intrusion and recon is an ongoing business on internet. It is done for many reasons. Most of attempts at recon and intrusions fail. This is why there are always so many attempts. As such without any real evidence and technical details, "Recorded Future" seems to be similar to all those high fee seeking think tanks and consultants who produce glossy broucheres with no real facts. Was there an attempt to launch a "cyberattack" on India? Most likely yes BUT such attempts are always happening and always ongoing. Co-relating it with geopolitical events is more like reading tea-leaves, unless otherwise proven.
Most interesting claim is it's possibly a retaliation. Last February, indian "hackers" tried to infiltrate Wuhan health infrastructure according to Chinese cyber security company.
 
Most interesting claim is it's possibly a retaliation. Last February, indian "hackers" tried to infiltrate Wuhan health infrastructure according to Chinese cyber security company.
Put it simply, there is too few leaves to make sense of any thing in the tea. The entire "research" and entire incidence has too few real facts and too many speculations and "anonymous" sources.
 
Put it simply, there is too few leaves to make sense of any thing in the tea. The entire "research" and entire incidence has too few real facts and too many speculations and "anonymous" sources.
Then you should have concluded differently in your OP. Your article ends as though there's a high possibility the said attack occured with or without the details.
 
Put it simply, there is too few leaves to make sense of any thing in the tea. The entire "research" and entire incidence has too few real facts and too many speculations and "anonymous" sources.
There was definitely an attack. which was confirmed by the Mumbai police. Outside agencies can monitor spikes in traffic especially if it's brute force.

Here is the 'Recorded Future' report :
 
Then you should have concluded differently in your OP. Your article ends as though there's a high possibility the said attack occured with or without the details.
Its like this: the kind of "attack" that happened is sort of a "background noise" in internet. What real facts are there?
1. A two hour blackout in Mumbai which is being attributed to human error and/or sabotage.
2. Bunch of domain names reported by the said "research" group with almost no details and lacking most of relevance to past ShadowPad malware.

This kind of domain names registration is very common. It is called Typo-Squatting. You sit on a mis-spelled names of domains in a hope to get some traffic on them. Usually to commit click-frauds. That said, it can be used for many other purposes.

Simply put, if you look hard enough, such kind "attacks" will be omni-present.

What is hard to believe is that it is indeed an attack on NTPC and Co and a successful one (two hours blackout). Any company who claims that should provide more than just evidence of typo-squatting.
 
  • Like
Reactions: _Anonymous_
Here is what union minister is saying : 'Human error, no proof of China’s role’: RK Singh on Mumbai power outage - Oneindia News
There was definitely an attack. which was confirmed by the Mumbai police. Outside agencies can monitor spikes in traffic especially if it's brute force.
Its not a resource exhaustion attack.

Funny fact is that in media it is being reported as if the company actually intercepted and analyzed the said malware. Nothing could be further from truth. The company has not presented anything to suggest that. All they have is a bunch of typo-squatted domain names and the ipaddresses behind them.
 
  • Like
Reactions: _Anonymous_
Its like this: the kind of "attack" that happened is sort of a "background noise" in internet. What real facts are there?
1. A two hour blackout in Mumbai which is being attributed to human error and/or sabotage.
2. Bunch of domain names reported by the said "research" group with almost no details and lacking most of relevance to past ShadowPad malware.

This kind of domain names registration is very common. It is called Typo-Squatting. You sit on a mis-spelled names of domains in a hope to get some traffic on them. Usually to commit click-frauds. That said, it can be used for many other purposes.

Simply put, if you look hard enough, such kind "attacks" will be omni-present.

What is hard to believe is that it is indeed an attack on NTPC and Co and a successful one (two hours blackout). Any company who claims that should provide more than just evidence of typo-squatting.
So essentially what you're saying is this wasn't a cyber attack but aren't entirely ruling out the possibility as well.
 
So essentially what you're saying is this wasn't a cyber attack but aren't entirely ruling out the possibility as well.
What I am saying is this : There is insufficient evidence to link that typo-squatting with that blackout.

I am getting a "consultancy" kind of vibe from that company. You know, money seeking without much evidence kind of vibe.
 
  • Like
Reactions: _Anonymous_
There was definitely an attack. which was confirmed by the Mumbai police. Outside agencies can monitor spikes in traffic especially if it's brute force.

Here is the 'Recorded Future' report :
This could also be read as the MVA covering up it's incompetence & taking advantage of the current scenario to embarrass the Center. The Mumbai police or any state Police for that matter is hardly independent as things stand in our great Nation.
 
  • Like
Reactions: AbRaj
There was definitely an attack.
Lemme put it in this way : There are always attacks. If you look at the logs of this website, you will see a flurry of bot traffic looking for random vulnerabilities. Its "natural" state of internet.

What makes an attack significant is when it has been analyzed and found to be responsible for novality or real effect.

There is no evidence that I have seen of that thing till now.

There are further weird claims. "Most of payload was not activated". How is it possible to even comment on this without having access to actual payload or intercepting communication of C&C and malware? The analysis done by that research group is completely passive. They did not present any dissection of messages (stuffed in DNS queries and answers eg) or any piece of malware.

Here is one analysis done by Kerpresky for a contrast. Its on the same claimed "ShadowPad" malware. Look at the depth they went and conclusions they drew : https://media.kasperskycontenthub.c...72148/ShadowPad_technical_description_PDF.pdf

How can an expert claim to be an expert without showing any evidence based on which they make claims?
 
Last edited:
  • Agree
Reactions: R73 FTW
Here is what union minister is saying : 'Human error, no proof of China’s role’: RK Singh on Mumbai power outage - Oneindia News

Its not a resource exhaustion attack.

Funny fact is that in media it is being reported as if the company actually intercepted and analyzed the said malware. Nothing could be further from truth. The company has not presented anything to suggest that. All they have is a bunch of typo-squatted domain names and the ipaddresses behind them.

 
Oh the modern social media! We are supposed to take the word of random experts at face value.

The kind of firms attracted towards this chatter are the ones who use "data-oriented" methods to turn reality into single digit scores or graphs. They seldom publish and technical analysis of the threats detected by always gives scores, graphs and advisories.

Here is one more : Detecting to Predicting Cyber Breaches - Safe Security

Possibly they want to hawk their SAFE score to Indian government.
 

Yeah I read the statement from Raut.

Its seems like another congress BJP bickering. Interesting data points are : Idea that there is a sabotage came from the minister after this "attack" before an analysis started. I was wondering where this thing originated.

They should put forward that report however. Lets see what kind of details are included there in.

Judging by the number of windows XP and windows 7 systems running in public offices, I am not surprised at the number of malwares found.

The interesting part is this : Mumbai police found malwares and that Recorded Future suggests its a ShadowPad malware launched by a "nation state". They are supposed to support each other, right? Actually, if it were a shadowpad malware, Mumbai police would be hard pressed to find it because of the nature of the beast ie being signed and integrated into a legit software. This malware is detected by network analysis of its communication. I will certainly like to see the report.
 
Last edited:
Lemme put it in this way : There are always attacks. If you look at the logs of this website, you will see a flurry of bot traffic looking for random vulnerabilities. Its "natural" state of internet.

What makes an attack significant is when it has been analyzed and found to be responsible for novality or real effect.

There is no evidence that I have seen of that thing till now.

There are further weird claims. "Most of payload was not activated". How is it possible to even comment on this without having access to actual payload or intercepting communication of C&C and malware? The analysis done by that research group is completely passive. They did not present any dissection of messages (stuffed in DNS queries and answers eg) or any piece of malware.

Here is one analysis done by Kerpresky for a contrast. Its on the same claimed "ShadowPad" malware. Look at the depth they went and conclusions they drew : https://media.kasperskycontenthub.c...72148/ShadowPad_technical_description_PDF.pdf

How can an expert claim to be an expert without showing any evidence based on which they make claims?
Agreed, they have not provided any conclusive evidence of the attack or malware.

I even doubt India would be using public internet for such critical infra needs , in all cases we might have a separate isolated network.

I mostly believe they are trying to analyze our system vulnerability and extract information about it from us by claiming bogus attacks. It also could be that they might have injected the malware themselves but need to confirm it.

One of the attacks on iranian nuclear installation was effected through a malware via usb thumbdrive as their systems were not connected to the outside network. They had to wait until the malware executed to confirm whether malware had been infiltrated into the system.

Irrespective of what has happened its always better to deny to avoid exposing vulnerabilities or giving out details which can be used in later attacks.
 
Agreed, they have not provided any conclusive evidence of the attack or malware.

I even doubt India would be using public internet for such critical infra needs , in all cases we might have a separate isolated network.

I mostly believe they are trying to analyze our system vulnerability and extract information about it from us by claiming bogus attacks. It also could be that they might have injected the malware themselves but need to confirm it.

One of the attacks on iranian nuclear installation was effected through a malware via usb thumbdrive as their systems were not connected to the outside network. They had to wait until the malware executed to confirm whether malware had been infiltrated into the system.

Irrespective of what has happened its always better to deny to avoid exposing vulnerabilities or giving out details which can be used in later attacks.

Well, India has one MASSIVE vulnerability which keeps it open to all sorts of "attacks" and its called people.
If I spend USD 50,000 I can get access into most of the telcos, including their long distance networks, hubs etc. No questions asked.
If I spend USD 300,000 I can most likely get access to non-classified parts of BARC, NMDC, NPCIL.
If I spend USD 1 M, I can get access to even a lot classified parts of practically all the government bodies.
If I spend USD 10M, I can get access to practically everything in Indian government.

This is the vulnerability that cann't be closed easily and this is where all focus will go. For likes of China, spending 100-500 millions to get access to most of India's critical infra is not infeasible. Infact it will be cheaper than muscling its way in. I doubt India can do the same to its adversaries because of number of checks and balances in the government systems.

If I am concerned its will be this asymmetry between India and China. In India, the number of people who you need to take in confidence to get anything done is much larger. In China, its very small. So, these kinds of "expenses" are more likely to happen in China and they will produce results.
 
  • Agree
Reactions: jetray
Well, India has one MASSIVE vulnerability which keeps it open to all sorts of "attacks" and its called people.
Agreed, no doubt about that. We need to develop robust process which can to some extent minimize the impact if not eliminate it. In the age of globalization when ppl movement or interest in assets abroad is possible preventing insiders from doing damage to security is a very tough task.
 
Apparently, US is pushing for building a narrative about hacking from Russia and China.


So reporting for Chinese hacks is a part of bigger narrative. There is a reason after all why US thinktanks are so active in reporting Chinese cyberattacks all over the world.

I don't mind so long US seeks for some punitive damages against China.
 
Apparently, US is pushing for building a narrative about hacking from Russia and China.


So reporting for Chinese hacks is a part of bigger narrative. There is a reason after all why US thinktanks are so active in reporting Chinese cyberattacks all over the world.

I don't mind so long US seeks for some punitive damages against China.
In the game of perception , more so in spying you always need to throw ppl of track. Obviously we shouldnt trust no one.