China-nexus threat actors have been called out for their pertinent snooping and espionage campaigns that are aligned with the country’s national interest. Their espionage activities are global and are assumed to be at least state-directed or ordered, even if individuals might not be employees of the state. The frequency of China-linked malicious cyber operations has seen a gradual rise, with India frequently being targeted, among other nations and businesses. The major motivation for targeting India’s cyberspace includes commercial espionage, coercive tactics or attaining the Chinese strategic objectives.

A Snippet of Recent Campaigns

Recently, seven of India’s State Load Dispatch Centres (SLDC), which carries out real-time operations for grid control and electricity dispatch, were targeted by threat actors in a prolonged operation. The sustained campaign was intended to achieve the Chinese strategic objectives and the targeting was believed to have begun in September 2021. The threat activity group, dubbed TAG-38, has reportedly employed a modular backdoor named ShadowPad – a sophisticated remote access trojan (RAT) frequently used in Chinese espionage campaigns, to compromise the power grids. ShadowPad is a commonly used backdoor in varied cyber operations undertaken by groups linked to the People’s Liberation Army (P

LA) and Ministry of State Security (MSS).

With most of the SLDC situated in the northern part of India, one of them was in close proximity to the disputed India-China border in Ladakh which was noted to have been already targeted in a similar attack in February 2021. The hacking group identified as RedEcho was believed to have “strong overlaps” with a China-linked threat group. Indeed, further investigations indicated that in February China nexus threat launched a series of attacks against key Indian organizations including the Bennett Coleman and Co Ltd (BCCL) and the Unique Identification Authority of India (UIDAI) database that contains biometric information of billions of citizens. The breach was traced back to the threat activity group TAG-28, another China-linked group that focuses on gathering intelligence. In addition to India’s energy sector campaign, researchers have also observed the command and control (C2) infrastructure of the well-known Chinese malware PlugX heavily targeting the Indian military and public sector after May 2020.

Persistence – A Long Running Strategy

In considering what is currently known about the China-linked threat actors, a number of attributes stand out. First, the persistent nature of the campaigns, once the initial access is achieved most of the threat actors have been noted to build persistence within networks. This could be indicative of their constant effort of shoveling out sensitive information and user credentials. Second, the presence of malicious actors could also be seen as a possible prepositioning of a kill-switch that can be leveraged during conflict situations or escalations.

Shying away from Proportionate Response?

India on many occasions does acknowledge the attacks emerging from China but refrains from linking it to broader malicious Chinese campaigns. As seen in the recent power grid attack case wherein the Indian spokesperson pointed out that “We have seen reports. There is a mechanism to safeguard our critical infrastructure to keep it resilient. We haven't raised this issue with China,” indicating a posture of restraint. Understandably, the defensive posture may emanate from the willingness to not escalate the crisis, despite the attacks being traced to hackers operating from China. However, continuous restraint may, in long term, be seen as an inherent weakness and an opportunity for the adversary to continue its operations.

Drawing parallels with the recent Russia-Ukraine war that has well indicated that cyberspace is an equally potent ground to unleash havoc on the adversary. The series of malware and data wipers deployed by Russia-linked threat actors in Ukraine, not only disrupted communications or sabotaged operations but also created chaos and confusion. Noteworthy is the fact that Ukraine has always been a testing ground for Russia-linked cyber threats, for instance, the power grid hack of 2015 that caused a power outage for several hours or the NotPetya attack of 2017 causing a massive supply chain nightmare. With respect to China-linked cyber campaigns against India it should be noted that in case of conflict or escalation, the China nexus threat actor may not only be called upon for reconnaissance or siphoning off credentials but also for launching a synchronized assault by the state.

Hence, it is high time for India to be vocal about the attribution and simultaneously strengthen its cyberspace capabilities. India could also support or be at the forefront of multi-level initiatives to deter threats in cyberspace.