How did a secretive Chinese cyber threat group get noticed intruding into Indian critical infrastructure? The answer Is an 18-letter word – ‘AXIOMATICASYMPTOTE’.
This word, which sounds more like a tongue-twister from the Mary Poppins film, is the network infrastructure used in the ShadowPad malware injections. From mid-2020 onwards, Recorded Future, the threat intelligence company, observed a steep rise in the use of infrastructure termed as AXIOMATICASYMPTOTE to target a large swathe of India’s power sector and ports.
In other words, it was this steep rise in the use of this server infrastructure to communicate with the targeted Indian IP addresses which raised vital red flags for threat intelligence analysts and revealed a bigger picture.
In determining that the China-linked group RedEcho was using the AXIOMATICASYMPTOTE infrastructure to carry out its intrusions into the networks of Indian organisations, three important revelations were made:
- RedEcho has an overlapping modus operandi with several other known Chinese groups such as APT41 and Tonto Team.
- RedEcho group was Chinese state-sponsored.
- RedEcho’s intrusions were part of a sustained strategic and targeted campaign against Indian organisations.
Amid the Indo-China conflict along the Line of Actual Control (LAC) in 2020, China-based threat actor group, codenamed ‘RedEcho’, had targeted at least 10 assets of India’s critical power sector as well as two ports, a report by the company had stated.
This piece explains how the cyber operation against Indian operations were carried out and how the detection of the use of the AXIOMATICASYMPTOTE infrastructure used by RedEcho unravelled an elaborate, strategic campaign to demonstrate a show of force during heightened tensions between India and China.
The 12 organisations that were targeted in 2020 were:
- Power System Operation Corporation Ltd
- NTPC Ltd
- NTPC Kudgi STPP
- Western Regional Load Despatch Centre
- Southern Regional Load Despatch Centre
- North Eastern Regional Load Despatch Centre
- Eastern Regional Load Despatch Centre
- Telangana State Load Despatch Centre
- Delhi State Load Despatch Centre
- DTL Tikri Kalan (Mundka) of Delhi Transco Ltd
- VO Chidambaranar Port
- Mumbai Port Trust
All the twelve targeted entities have been classified as critical infrastructure by the National Critical Information Infrastructure Protection Centre (NCIIPC).
While the military clashes took place in Ladakh region along the LAC, the targeted units are spread across different parts of India including Delhi, Maharashtra, Telangana, Tamil Nadu, Karnataka, West Bengal and Assam.
AXIOMATICASYMPTOTE
Threat intelligence company Recorded Future states in its report that the network infrastructure used in ShadowPad malware has been termed AXIOMATICASYMPTOTE.
The company explains that using a combination of proactive infrastructure detections, domain analysis, and network traffic analysis, “we have determined that a subset of these AXIOMATICASYMPTOTE servers are being used by a China-linked activity group we track as RedEcho, to target a large swath of India’s power sector.”
A subset of the RedEcho AXIOMATICASYMPTOTE servers were configured with website names spoofing various Indian power sector entities. For example, the ntpc-co[.]com domain is likely a typosquat of ntpc[.]co[.]in, the website of Indian power generation company NTPC Limited, the report states.
In total, the company identified 21 IP addresses resolving to 12 distinct Indian organisations that were found to be communicating with the AXIOMATICASYMPTOTE servers.
RedEcho’s Modus Operandi Overlaps With Other Known Chinese Threat Actors
RedEcho’s usage of the ShadowPad malware to intrude into networks of targeted Indian organisations using the network infrastructure AXIOMATICASYMPTOTE is not unique.
The spike in the use of this infrastructure led Recorded Future to connect the dots and revealed a modus operandi that has also been used by multiple Chinese hacker groups, particularly APT41 and Tonto Team.
This assumes greater significance given that at least 3 of the targeted Indian IP addresses were previously seen in a suspected campaign by APT41 targeting the Indian Oil and Gas sectors in November 2020.
An even larger proportion of the RedEcho-targeted Indian IP addresses were observed communicating with two AXIOMATICASYMPTOTE servers overlapping with APT41/Barium activity previously reported by Microsoft.
However, there isn’t enough evidence to suggest that APT41 or Tonto Team were involved in the current set of intrusions.
“We currently do not believe there is enough evidence to firmly attribute the activity in this particular Indian power sector targeting to either group,” Recorded Future’s report points out.
This overlapping usage, however, points to a larger picture.
RedEcho Group is Chinese State-Sponsored
The overlap in the usage of the AXIOMATICASYMPTOTE infrastructure with other Chinese state sponsored groups is what established RedEcho’s possible link with the Chinese state.
Recorded Future states that presently it is aware of at least five Chinese threat activity groups the deploy the ShadowPad malware using AXIOMATICASYMPTOTE infrastructure. These include groups like APT41 and Tonto Team.
While the APT41 group has been observed to be affiliated with China’s Ministry of State Security, Tonto Team is affiliated with the Chinese People’s Liberation Army (PLA).
“We assess that the sharing of ShadowPad (malware) is prevalent across groups affiliated with both Chinese Ministry of State Security (MSS) and groups affiliated with the People’s Liberation Army (PLA),” Recorded Future states in report.
Therefore, the steep rise in the usage of the same AXIOMATICASYMPTOTE infrastructure by known groups affiliated with the Chinese ministry as well as the PLA established RedEcho as a state-sponsored entity.
RedEcho’s Intrusions Part of a Strategic and Targeted Campaign
A threat intelligence analysis of RedEcho’s targeting reveals that neither was this a one-off intrusion campaign, not was it carried out in isolation. Rather, the steep rise in the use of AXIOMATICASYMPTOTE infrastructure revealed this to be a campaign with specific targets.
The high concentration of IPs resolving to Indian critical infrastructure entities communicating over several months with a distinct subset of AXIOMATICASYMPTOTE servers used by RedEcho indicate a targeted campaign.
The overlap of the intrusions with previous Indian energy sector targeting by APT41 group in 2020 – that also used AXIOMATICASYMPTOTE infrastructure – reveals a larger picture.
“The focus in targeting India’s electricity system possibly indicates a sustained strategic intent to access India’s energy infrastructure,” the report highlights.
So, what is the objective of this larger strategic campaign?
At a time when Indian and Chinese forces were locked in a tense standoff along the LAC, the intrusions into critical infrastructure deep in the heartland of India indicates a warning as well as a show of force by China.
The campaign also reveals that China is willing to open a new dimension of warfare, ie cyber warfare.
It is important to note that the campaign targeted civilian infrastructure. Speaking at a press conference on 4 march, Recorded Future CEO, Christopher Ahlberg, described the selective targeting of India’s civilian infrastructure including power grids by the China-linked cyber group in 2020 as “ very unusual” and “concerning.”
He asserted the activities were not aimed at stealing money or information but more as, “a warning or show of force during heightened bilateral tensions.”
As bilateral tensions continue to rise, “We expect to see a continued increase in cyber operations being conducted by China-linked groups such as RedEcho, in line with national strategic interests,” Recorded Future’s report stated.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)