Amid souring relations between India and China last year, evidence emerged in September of a Chinese government-linked company’s attempt to monitor the digital footprint of thousands of Indian citizens. In November, the government was apprised of a malware threat in segments of its power infrastructure — malware that was last month linked to a Chinese state-backed firm. Now, a cyber intelligence firm claims another Chinese government-linked hacking group has targeted the makers of the two vaccines currently used in India’s Covid-19 vaccination programme.
Newsletter | Click to get the day’s best explainers in your inbox
A look at the various surveillance and hacking attempts, and their implications:
Zhenhua & its targets
The Indian Express had earlier reported in a series of reports that a Shenzhen-based technology company, Zhenhua Data Information Technology Co, with links to the Chinese government and the Chinese Communist Party, was monitoring over 10,000 Indian individuals and organisations. This was part of the company’s global database of “foreign targets”. Its modus operandi is to collect information about relevant people from the web and social media platforms, and track research papers, articles, patents, and recruitment positions.
The company also monitors the person’s digital footprint across social media platforms and maintains an “information library”. Those monitored in this database included not only influential political and industrial figures, but bureaucrats in key positions, judges, scientists and academicians, journalists, actors, sportspersons, religious figures, activists and even hundreds accused of financial crime, corruption, terrorism and smuggling.
The collection of such data by Zhenhua does not violate any rules under the Information Technology Act of 2000, as nearly all of this data is available in the public domain. However, Zhenhua’s 24×7 watch had raised red flags with cybersecurity experts, who observed that the information collected could be put together for tactical manoeuvring, targeting the individuals under surveillance or their institutions.
Red Echo & ShadowPad
On February 28, Massachusetts-based cybersecurity company Recorded Future published a report saying it had observed a “steep rise” in the use of resources like malware by a Chinese group called Red Echo to target “a large swathe” of India’s power sector.
It said 10 distinct Indian power sector organisations were targeted, including four Regional Load Despatch Centres (RLDCs) that are responsible for the smooth operation of the country’s power grid by balancing the supply and demand of electricity. Recorded Future said the group also targeted two Indian seaports.
Red Echo used malware called ShadowPad, which involves the use of a backdoor to access servers. The Ministry of Power on Monday confirmed these attempts, stating it had been informed in November 2020 about the ShadowPad malware “at some control centres” of the Power System Operation Corporation Ltd (POSOCO), the government enterprise in charge of facilitating the transfer of electricity through load despatch centres.
The Ministry said it was informed of Red Echo’s attempts to target the country’s load despatch centres in February. It had said “no data breach/data loss” had been detected due to the incidents and that none of POSOCO’s functions had been impacted. The government said it had taken action against the threats observed.
While there was speculation earlier that Red Echo was possibly behind the October 12 blackout in Mumbai, Union Power Minister R K Singh on Tuesday denied that the power outage in the city was the result of a cyberattack, instead attributing it to human error.
Stone Panda & vaccines
On Monday, Goldman Sachs-backed cyber intelligence firm Cyfirma said a Chinese hacker group known as Stone Panda had “identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India”, according to a Reuters report. These companies have developed Covaxin and Covishield, which are currently being used in the national vaccination campaign. They are also in the process of testing additional Covid-19 vaccines that could add value to efforts around the world.
Some Indian companies involved in Covid-19 vaccine development have told The Indian Express that they have noticed a nearly hundred-fold increase in cyberattack attempts by foreign entities from countries like China and Russia over the last six months.
All this could be happening for several reasons. One major factor is the border clash between the two countries in June 2020.
“As bilateral tensions continue to rise, we expect to see a continued increase in cyber operations being conducted by China-linked groups such as RedEcho in line with national strategic interests,” stated Recorded Future.
Other cybersecurity experts agree.
“This is clearly something that is linked to China’s geopolitical interests,” said Raman Jit Singh Chima, Asia Pacific Policy Director and Global Cybersecurity Lead at Access Now. “It is established very clearly that the use of cyber offensive tools and espionage is a fairly active element of what the People’s Republic of China seems to be adopting and encouraging. Even when they are not directly in charge of an offensive operation, they seem to be consistently encouraging actors to develop this capability.”
However, as reported in the ‘China Watching’ series in The Indian Express, these attempts could also be part of a long-term strategy.
“It could also be an attempt to test and lay the grounds for further operations in the future,” said Chima. “One has to also remember that sometimes these offensive operations are carried out to distract people from other places that they might be targeting or other activities that might be occurring.”
There was an increase in cyber offensive operations and incidents around the world in the second half of 2020 especially targeting the healthcare and vaccine space, with incidents often attributed to actors linked with the Chinese and Russian governments, according to Chima.
When vaccine companies are targeted, the motive could be competition. The motivation behind Stone Panda’s attack against SII and Bharat Biotech’s IT systems was to extract the companies’ intellectual property and gain a “competitive advantage over Indian pharmaceutical companies,” as per Reuters. SII and Bharat Biotech have been getting global orders for their vaccines.
Lack of information
India has not voluntarily made information about these attempts public. According to Chima, this lack of information could leave other companies and government bodies may be in the dark about their vulnerability to such attacks.
“The problem is you need more data to be able to figure out what is going on, including specific data about what has happened in India,” said Chima.
He said there is also little clarity on the government’s chain of command where cybersecurity issues are concerned, as different agencies deal with this issue. This makes it difficult to understand who all to approach in the event of such cyber threats.
“Because that information is not out there, and it’s not available easily — except to people who work very closely with the government–it impacts India’s cybersecurity as a whole,” Chima said.