Chinese government back hacking group, RedEcho targets Indian Power Sector amid border tensions

March 24, 2021
redecho china india border malware cyber attack espionage

The relationship between India and China has significantly deteriorated following the border clashes since May 2020, resulting in the first combat deaths between the two of the world’s most populous countries. This resulted in India’s foreign minister, Subrahmanyam Jaishankar, announcing last January 12, 2021, that the two nations’ trust was “profoundly disturbed”. While economic factors and diplomacy have been effective to prevent an all-out war with the most recent bilateral disengagement agreement at the border, cyber activities and operations continue to provide countries with a potent capability to conduct espionage and disruptive cyber retaliation hence there are government backed hackers and APT groups such as RedEcho.

A cybersecurity firm has observed a significant increase in targeted intrusion activity against the Indian government and organizations from Chinese government-funded hacking groups. Mid-2020 onwards, a steep rise in cyber-attacks towards India’s power sector has been observed, this includes 10 distinct Indian power sector corporations. Of the 10 targets were 4 of the 5 Regional Load Despatch Centres responsible for the power grid operations through an electricity supply and demand balancing, which is part of India’s critical national infrastructure. Other identified targets of the Chinese hacking groups are 2 Indian seaports.

Further analysis of the detected attacks suggests that there are common infrastructure attack tactics, techniques and procedures used by previously exposed Chinese APT groups, including the Tonto Team and APT41. Despite the overlap with previously documented groups, cybersecurity researchers closely attribute the recent cyberattacks to the RedEcho hacking group.

Indeed, targeting the critical infrastructures of India benefits limited economic espionage opportunities. However, there is a significant concern to the potential network access once the groups successfully support the Chinese strategic objectives.


The high concentration of IPs resolving towards Indian critical infrastructure over several months on servers used by RedEcho and their malware indicates a targeted cyber-attack campaign.


The RedEcho group has a substantial infrastructure overlap with other Chinese hacking groups Barium or APT41 and Tonto Team.

About the author

Leave a Reply