Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Disaster Recovery

Suspected Chinese APT Group Targets Power Plants in India

Security researchers at Recorded Future have spotted a suspected Chinese APT actor targeting a wide range of critical infrastructure targets in India, including power plants, electricity distribution centers and Indian seaports.

Security researchers at Recorded Future have spotted a suspected Chinese APT actor targeting a wide range of critical infrastructure targets in India, including power plants, electricity distribution centers and Indian seaports.

Recorded Future, a threat-intelligence firm based in Somerville, Mass., said the wave of targeted attacks appear to coincide with the ongoing territorial conflict between India and China.

The company’s analysts applied the “RedEcho” moniker to this threat actor and warned that the group has strong infrastructure and victim overlaps with the notorious APT41/Barium actor.   

Despite these overlaps with known APT actors, Recorded Future said it will contrinue to track the group as a distinct actor because there isn’t enough evidence to firmly attribute the activity to a singular group.

[ Learn more about threats to industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series ]

From about the middle of 2020 onwards, Recorded Future said it captured telemetry showing a steep rise in the use of known APT command-and-control servers “to target a large swathe of India’s power sector.”

A detailed technical report from Recorded Future said 10 distinct Indian power sector organizations were targeted, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for operation of the power grid. Other targets identified included two unidentified Indian seaports.

The company’s threat hunters identified 21 IP addresses among the list of targets in India, noting that they all qualify as critical infrastructure in India.

Advertisement. Scroll to continue reading.

List of suspected victims of RedEcho campaign targeting Indian critical infrsastructure

The researchers also noticed the targeting of a high-voltage transmission substation and a coal-fired thermal power plant.

“The targeting of these critical power assets offer limited economic espionage opportunities, but pose significant concerns over potential pre-positioning of network access to support other Chinese strategic objectives,” the company added.

Recorded Future has released IOCs and mitigation guidance to help organizations look for signs of malicious activity on corporate networks.

RelatedRemote Hacker Caught Poisoning Florida City Water Supply 

Related: U.S. Gov Warning on Water Supply Hack: Get Rid of Windows 7

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...