C0043 Indian Critical Infrastructure Intrusions
Indian Critical Infrastructure Intrusions is a sequence of intrusions from 2021 through early 2022 linked to People’s Republic of China (PRC) threat actors, particularly RedEcho and Threat Activity Group 38 (TAG38). The intrusions appear focused on IT system breach in Indian electric utility entities and logistics firms, as well as potentially managed service providers operating within India. Although focused on OT-operating entities, there is no evidence this campaign was able to progress beyond IT breach and information gathering to OT environment access.12
| Item | Value |
|---|---|
| ID | C0043 |
| Associated Names | |
| First Seen | January 2021 |
| Last Seen | April 2022 |
| Version | 1.0 |
| Created | 21 November 2024 |
| Last Modified | 13 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | During Indian Critical Infrastructure Intrusions, RedEcho registered domains spoofing Indian critical infrastructure entities.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | During Indian Critical Infrastructure Intrusions, RedEcho network activity included SSL traffic over TCP 443 and HTTP traffic over non-standard ports.1 |
| enterprise | T1584 | Compromise Infrastructure | Indian Critical Infrastructure Intrusions included the use of compromised infrastructure, such as DVR and IP camera devices, for command and control purposes in ShadowPad activity.2 |
| enterprise | T1568 | Dynamic Resolution | During Indian Critical Infrastructure Intrusions, RedEcho used dynamic DNS domains associated with malicious infrastructure.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | During Indian Critical Infrastructure Intrusions, RedEcho used SSL for network communication.1 |
| enterprise | T1599 | Network Boundary Bridging | Indian Critical Infrastructure Intrusions involved the use of FRP to bridge network boundaries and overcome NAT.2 Indian Critical Infrastructure Intrusions also involved the use of VPN tunnels with a potentially compromised MSP entity allowing for direct access to critical infrastructure entity networks.3 |
| enterprise | T1571 | Non-Standard Port | During Indian Critical Infrastructure Intrusions, RedEcho used non-standard ports such as TCP 8080 for HTTP communication.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.004 | Digital Certificates | Indian Critical Infrastructure Intrusions included the use of digital certificates spoofing Microsoft.2 |
Software
| ID | Name | Description |
|---|---|---|
| S1144 | FRP | Indian Critical Infrastructure Intrusions included the use of FRP to enable remote access.2 |
References
-
Recorded Future Insikt Group. (2021, February). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved November 21, 2024. ↩↩↩↩↩↩
-
Recorded Future Insikt Group. (2022, April 6). Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group. Retrieved November 21, 2024. ↩↩↩↩↩
-
Dragos. (2022). 2021 ICS Cybersecurity Year in Review. Retrieved November 21, 2024. ↩