{ "id": "4868fd3c-1e34-4043-bd90-b5668b3e20dc", "created_at": "2026-04-06T00:11:08.768288Z", "updated_at": "2026-04-10T03:35:32.789093Z", "deleted_at": null, "sha1_hash": "9838bfce29650b438203c877892fced2a5783e63", "title": "China accused of cyberattacks on Indian power grid", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39616, "plain_text": "China accused of cyberattacks on Indian power grid\r\nBy Laura Dobberstein\r\nPublished: 2022-04-08 · Archived: 2026-04-05 17:11:40 UTC\r\nChina has been accused of conducting a long-term cyber attack on India's power grid, and has been implicated in\r\ncyber attacks against targets in Ukraine.\r\nCybersecurity firm Insikt Group found network intrusions at seven Indian State Load Dispatch Centers (SLDCs)\r\nthat conduct real-time operations for grid control and electricity dispatch, according to a report released\r\nWednesday. All seven SLDCs were located near the disputed India-China border in Ladakh.\r\nAlthough one of the SLDCs had been previously targeted – in a 2020 incident that Insikt Group named RedEcho\r\nand credited to Beijing – the newly identified intrusions target an almost entirely different set of victims.\r\nInsikt stated that in addition to attacking grid assets, the operation impacted a national emergency response team\r\nand the Indian subsidiary of a logistics company.\r\nThe operation used a trojan called ShadowPad, thought to have links to contractors serving China's Ministry of\r\nState Security (MSS).\r\nThe attackers, sometimes identified a Threat Activity Group 38 (TAG-38), are believed to have infiltrated the\r\nsystem via third-party devices like IP cameras that may have been left vulnerable when their default credentials\r\nwere kept in place.\r\n\"The group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control\r\n(C2) of ShadowPad malware infections, as well as use of the open source tool FastReverseProxy (FRP),\" opined\r\nInsikt Group in its report.\r\nRussia (still) trying to weaponize Facebook for spying, Ukraine-war disinfo\r\nHow do China's cyber-spies snoop on governments, NGOs? Probably like this\r\nUS State Department opens cybersecurity policy bureau\r\nChina, India face tech brain drain through US universities\r\nThe cybersecurity group said that because the targeting was prolonged, it was most likely a mission to gather\r\ninformation about critical infrastructure, rather than seeking immediate-term benefit. Such information could later\r\nbe used to gain access across a system to take (presumably disruptive) action.\r\nBeijing, predictably, denied involvement. Foreign spokesperson Zhao Lijian asserted that China firmly opposed all\r\nforms of cyber attacks, in accordance with the law. He added that one should be \"all the more prudent when\r\nassociating cyber attacks with the government of a certain country.\"\r\nThe past few weeks have also brought a string of reported attacks emanating from China against targets in\r\nUkraine.\r\nhttps://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/\r\nPage 1 of 2\n\nSentinelLabs concluded in late March that malware sent throughout the country disguised as a call to send in\r\nvideo documentation of Russian aggression was associated with the suspected Chinese threat actor known as\r\nScarab.\r\n\"The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine\r\nsince the invasion began,\" said SentinelOne's Tom Hegel.\r\nAmerican enterprise security company Proofpoint also identified ongoing threat activity from China last month.\r\nResearchers said TA416 is targeting European diplomatic entities, including an individual involved in refugee and\r\nmigrant services.\r\nProofpoint said the activity showed \"an interest in refugee policies and logistics across the APT actor landscape\r\nwhich coincides with increased tensions and now armed conflict between Russia and Ukraine.\"\r\nBut according to the anonymous collective Intrusion Truth – a group that analyses China-linked cyber attacks –\r\nstate-sponsored threat actor FunnyDream had also targeted the Kremlin, Russian private bank Alfabank, and the\r\nFederal Guard Service of the Russian Federation.\r\n\"Wonder what that says about China's trust in Russia?\" mused Intrusion Truth. ®\r\nSource: https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/\r\nhttps://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/" ], "report_names": [ "china_sponsored_attacks_india_ukraine" ], "threat_actors": [ { "id": "0fca7692-4a21-482f-a113-9548b49e8531", "created_at": "2022-10-25T16:07:24.117599Z", "updated_at": "2026-04-10T02:00:04.870741Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [], "source_name": "ETDA:RedEcho", "tools": [ "POISONPLUG.SHADOW", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "bc91d469-ec69-497b-81d7-068b84501e63", "created_at": "2023-01-06T13:46:39.192791Z", "updated_at": "2026-04-10T02:00:03.242063Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [], "source_name": "MISPGALAXY:RedEcho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "1081082f-c780-4f3f-8090-0952b4455230", "created_at": "2022-10-25T16:07:24.297942Z", "updated_at": "2026-04-10T02:00:04.92646Z", "deleted_at": null, "main_name": "TAG-38", "aliases": [], "source_name": "ETDA:TAG-38", "tools": [ "FRP", "Fast Reverse Proxy", "POISONPLUG.SHADOW", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "9099912b-a00a-4afb-8294-c6d35af421a1", "created_at": "2023-01-06T13:46:39.338108Z", "updated_at": "2026-04-10T02:00:03.292102Z", "deleted_at": null, "main_name": "Scarab", "aliases": [], "source_name": "MISPGALAXY:Scarab", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486", "created_at": "2022-10-25T16:07:24.158325Z", "updated_at": "2026-04-10T02:00:04.884772Z", "deleted_at": null, "main_name": "Scarab", "aliases": [ "UAC-0026" ], "source_name": "ETDA:Scarab", "tools": [ "Scieron" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "64af9eaa-e528-42d2-95c6-f55aa0a13df5", "created_at": "2025-04-23T02:00:55.201298Z", "updated_at": "2026-04-10T02:00:05.33852Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [ "RedEcho" ], "source_name": "MITRE:RedEcho", "tools": [ "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434268, "ts_updated_at": 1775792132, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9838bfce29650b438203c877892fced2a5783e63.pdf", "text": "https://archive.orkl.eu/9838bfce29650b438203c877892fced2a5783e63.txt", "img": "https://archive.orkl.eu/9838bfce29650b438203c877892fced2a5783e63.jpg" } }