On February 28, Recorded Future, a Massachusetts-based company that studies how state actors use the internet, put out a report that the massive power outage in Mumbai on October 12 may have been the handiwork of a Chinese cyberwarfare campaign against India, meant to signal to New Delhi what China could do at a time when the Indian army was locked in a border standoff with the Chinese army.
No one, including Recorded Future, is fully sure whether the power outage was indeed the result of a Chinese cyberattack, but Chinese malware has been found inserted in systems related to the power grid, especially targeting four of the national power grid’s five Regional Load Dispatch Centres (RLDC).
The Union power ministry has said that the Indian Computer Emergency Response Team (CERT-IN) had alerted it to a malware called ShadowPad “at some control centres of POSOCO (Power System Operation Corporation Limited),” on November 19. It also said that the National Critical Information Infrastructure Protection Centre (NCIIPC) had sounded an alert on February 12 about a Chinese state-sponsored cyber threat group known as RedEcho.
Note that while the CERT-IN alert came more than a month after the power outage, the NCIIPC alert came four months after the event and seems to have been based on information provided by Recorded Future. It was Recorded Future that gave the suspected Chinese group the name RedEcho.
The power ministry also said, “There is no impact on any of the functionalities carried out by POSOCO due to the referred threat. No data breach/data loss has been detected due to these incidents… Prompt actions are being taken… at all these control centres…”
No impact on functionality. No data loss detected. Prompt action. Nearly five months after the massive power outage brought trains to a halt and shut down much economic activity in the financial capital for hours.
Worse, it has become a sort of political war between the BJP and the Shiv Sena, with the Maharashtra government saying the power outage was due to “sabotage” by “a foreign power” and the Centre insisting that the power outage was not linked to the Chinese cyberattack.
What should we make of it all? The Recorded Future report says that 10 distinct power sector organisations, including four of India’s five RLDCs, which are responsible for balancing supply and demand on the national power grid and thus keep it from collapsing, and two Indian ports have been targeted in a concerted campaign against India’s critical infrastructure. It noted that “the targeting of Indian critical infrastructure offers limited economic espionage opportunities but poses significant concerns over potential pre-positioning of network access to support Chinese strategic objectives… including geostrategic signalling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation.”
In other words, the Chinese had likely planted malware that could be activated at a time of their choosing. Was the Mumbai power outage one such activation in the midst of the India-China standoff in Ladakh?
Understandably, it would be difficult for the government to admit that such an attack happened, and that it was caught unawares. Worse, given that the Recorded Future report has come to light just after India and China agreed to disengage at Ladakh, the government would be wary that people would directly link it to the Chinese “show of force".
In November 2011, I had sounded out an alert from the Indian hacker community that an attempt was under way to infect islanded computers at the Rare Materials Plant in Rattehalli, near Mysuru, one of India’s most secretive nuclear establishments. At the time, neither the Department of Atomic Energy nor officials in the central government would respond to my queries on the matter. It was only five years later, when I was on a visit to a top nuclear establishment, that I was ushered into the chamber of a high official and was told, quite nonchalantly, that my 2011 report had been “fairly accurate” but that the matter had been “taken care of".
More recently, in 2019, when Indian hackers took to social media to alert the government about a bid to penetrate systems at the Kudankulam nuclear power plant, the establishment first denied that there was any such attempt at all. It was only days later, on being confronted with evidence, that it admitted that a computer in the administrative division had been infected with malware. The control systems of the power plant had not been penetrated. Yet, the danger is that much crucial information on the nuclear power plant could have been gleaned — personnel, workflows, power plant issues — from the administration-related computer, which could be put together with other bits of information and used in a future attack. We just don’t know.
The danger of cyberwarfare
In Industrial Age warfare, the antagonists would look to destroy each other’s industrial capacity to wage war — military production capacity, steel production, etc. In World War II, the Allies destroyed Germany’s war-making capacity by bombing industrial centres such as Dresden. Each side would also try covert warfare by infiltrating small groups of trained saboteurs behind enemy lines, tasked with killing key leaders, blowing up arms depots, bridges, and the like. What if you could combine covert behind enemy lines action with the scale of destruction of a massive aerial bombing campaign?
In the Information Age, with cyberwarfare, you can do just that, and probably better. All while sitting hunched over a computer, sipping Mao Tai, in the safety of an unknown garage in the boondocks in your own country. Want to bring down the enemy’s power grid? Want to bring down the stock market? Want to bring down the banking system and paralyse the enemy’s economy? Sure, you can do all that, provided you have the right tools and enough patience and perseverance.
While the two militaries were deployed in Ladakh, for instance, the cyber warriors were attacking behind enemy lines. While we now know what the Chinese did (although we don’t know what their objectives were), were our boys acting behind Chinese lines? Well, that’s classified, and we will have to let it be. Recorded Future says that it has also observed “suspected Indian state-sponsored group Sidewinder” target Chinese military and government entities in 2020, a finding that a study by Trend Micro supported.
India lags
Yet, it is estimated that India lags China by almost two decades in terms of cyberwarfare capability, both offensive and defensive.
“Our defensive preparedness is almost non-existent. When Kudankulam happened, it was not the government that went out to find who was behind it. It was a bunch of private hackers who did. Whatever capability exists in India is mostly outside the government,” a source in the hacker community told DH on condition of anonymity.
As for offensive cyberwar capabilities, “If you can’t even defend your own networks and assets, what offensive capabilities are you likely to have,” the hacker asked. “There are a few mercenary companies or groups who are hackers-for-hire, who can do a bit of espionage for paying clients, using tools bought from abroad, but there is no solid national cyberwarfare capability.”
But Ajey Lele, a Senior Fellow at the Institute for Defence Studies and Analyses, says India has been stepping up preparedness since a cyberattack on the Commonwealth Games in 2010. “The government understood the challenge and took it seriously,” Lele said. While he would not confirm or deny whether India had offensive cyber capabilities and had demonstrated them, he said, “I’m sure we remain prepared. Look, even Pakistan has never accused us of a cyberattack on them. Either our boys are too good and cannot be identified, or we are not doing anything.”
Says the anonymous hacker, “For offensive capabilities, you need infrastructure, slush funds, talent, people to manage the whole effort, cryptography capabilities. If you want to wage war in a new dimension, where is the research on it? What tools have our agencies developed, instead of buying tools from abroad? Where is our cryptography capabilities? We are reduced to pleading with or ordering companies to not do encryption.”
“We are capable of offence, but the Chinese have been preparing for over two decades to thwart attacks from the US, UK. They have very high benchmarks of deterrence and counter-offensive capabilities,” says Tobby Simon, president of the Bengaluru-based think-tank Synergia Foundation. “We have not been preparing to take on any superpower. We can, of course, but even if we spend a lot of money and build capabilities, somebody will still manage to get in and strike our systems. Look at how the US has been hit by SolarWind, the Russian attack. There is no 100% defence.”
Cyber deterrence
“Which means, the only way out is to deter,” Simon adds. “And to deter, you have to show your capability. A lot of conflict is also optics. You have to show you are capable of hitting back. How do you do that? In conventional conflict, you could do an Army Day parade and show off your weaponry. In cyberwarfare, the only way to do that is to demonstrate this capability and make the intent clear.
Of course, to be able to do that, we first have to build the capability.
The anonymous hacker agrees. “If the government wants to develop offensive capabilities, it can be done in 5-6 years. But it must first decide what kind of a nation we want to be, strategic goals, a cyberwarfare doctrine, and put up a structure, funds and a group of people who can nurture talent and run the effort. Instead, today, the government is pissing off talent. People who tell the truth and plead for building capability become Public Enemy No. 1 and are threatened. A lot of talented people are going away.”
That’s a warning, and a plan, the government will do well to heed.
Deccan Herald is on WhatsApp Channels| Join now for Breaking News & Editor's Picks