So I heard some chatter on a so-called cyber-attack that resulted in a grid failure / blackout in Mumbai. The usual suspects in NYTimes were going gaga over it, so I decided to look into it a bit more and I will use this thread as a place holder for anything that I find.
1. Who detected this "attack"?
A certain company by name "Recorded Future". Its not exactly one of the known names in security which sells customer products and it claims to sell "platforms" and specializes in "China" Malware. As you will see further, most of the capabilities of this company is shrouded in mystery, much like its report.
2. What they are saying?
Using totally opaque terms they are claiming Chinese government and PLA hired some private cyber-espinage people who attacked Indian electric companies using a form of malware called "ShadowPad".
You can read about a real "ShadowPad" in this excellent writeup by Kesprasky's Lab and else where: ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World ,ShadowPad in corporate networks. Basically this malware is encrypted backdoor inserted in a legitimate software during software development / build process at the manufacturer/developer/vendor's end. The malware hence comes signed and sealed with very legitimate software. How do they do it? Most likely the compromised someone in the actual vendor's staff to insert this in build process OR they hacked the machines of that vendor. Given they are Chinese, I think the first is most likely way. This "ShadowPad" then uses DNS queries for C&C purposes (which is how it was found). There are more technical details BUT these should be enough.
While you read the above links, please keep in mind the level of technical details in these two articles. We will come to that later.
Now compare the above with what these folks at Recorded Future are saying :
1. They do not provide ANY clue on any malware actually found. They blame it one Indian government for not providing or not able to find any "codes".
2. Their publications lack ANY technical details besides names of domains being tyopsquatted by some Chinese companies. Most of these names are names of indian railways website, ntpc website etc.
3. They use totally opaque terminology like AXIOMATICASYMPTOTE for C&C infra supposedly used by Chinese. They give no further details about what they actually found besides the name and ipaddresses of these portals on github (funny! no code nothing on github!) Insikt-Group/Research
4. Lastly, as a mere conjecture they put these together with some timeline of Ladakh conflict and come to a conclusion that Mumbai power grid failure was a Chinese cyber attack (complete with a dark picture of a stock Indian and uniform draped Chinese soldier).
3. What seems to be reality?
Intrusion and recon is an ongoing business on internet. It is done for many reasons. Most of attempts at recon and intrusions fail. This is why there are always so many attempts. As such without any real evidence and technical details, "Recorded Future" seems to be similar to all those high fee seeking think tanks and consultants who produce glossy broucheres with no real facts. Was there an attempt to launch a "cyberattack" on India? Most likely yes BUT such attempts are always happening and always ongoing. Co-relating it with geopolitical events is more like reading tea-leaves, unless otherwise proven.
1. Who detected this "attack"?
A certain company by name "Recorded Future". Its not exactly one of the known names in security which sells customer products and it claims to sell "platforms" and specializes in "China" Malware. As you will see further, most of the capabilities of this company is shrouded in mystery, much like its report.
2. What they are saying?
Using totally opaque terms they are claiming Chinese government and PLA hired some private cyber-espinage people who attacked Indian electric companies using a form of malware called "ShadowPad".
You can read about a real "ShadowPad" in this excellent writeup by Kesprasky's Lab and else where: ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World ,ShadowPad in corporate networks. Basically this malware is encrypted backdoor inserted in a legitimate software during software development / build process at the manufacturer/developer/vendor's end. The malware hence comes signed and sealed with very legitimate software. How do they do it? Most likely the compromised someone in the actual vendor's staff to insert this in build process OR they hacked the machines of that vendor. Given they are Chinese, I think the first is most likely way. This "ShadowPad" then uses DNS queries for C&C purposes (which is how it was found). There are more technical details BUT these should be enough.
While you read the above links, please keep in mind the level of technical details in these two articles. We will come to that later.
Now compare the above with what these folks at Recorded Future are saying :
1. They do not provide ANY clue on any malware actually found. They blame it one Indian government for not providing or not able to find any "codes".
2. Their publications lack ANY technical details besides names of domains being tyopsquatted by some Chinese companies. Most of these names are names of indian railways website, ntpc website etc.
3. They use totally opaque terminology like AXIOMATICASYMPTOTE for C&C infra supposedly used by Chinese. They give no further details about what they actually found besides the name and ipaddresses of these portals on github (funny! no code nothing on github!) Insikt-Group/Research
4. Lastly, as a mere conjecture they put these together with some timeline of Ladakh conflict and come to a conclusion that Mumbai power grid failure was a Chinese cyber attack (complete with a dark picture of a stock Indian and uniform draped Chinese soldier).
3. What seems to be reality?
Intrusion and recon is an ongoing business on internet. It is done for many reasons. Most of attempts at recon and intrusions fail. This is why there are always so many attempts. As such without any real evidence and technical details, "Recorded Future" seems to be similar to all those high fee seeking think tanks and consultants who produce glossy broucheres with no real facts. Was there an attempt to launch a "cyberattack" on India? Most likely yes BUT such attempts are always happening and always ongoing. Co-relating it with geopolitical events is more like reading tea-leaves, unless otherwise proven.