Key Infrastructure and Critical Vulnerabilities: Attack Against Tata Power Highlights Cyber Risk to India’s Growing and Increasingly Connected Population
On Friday, October 14, Indian electricity provider Tata reported it was suffering the effects of a cyberattack against its network. (1) In late October, Hive ransomware claimed the attack and began leaking data stolen from Tata Power on its website. (16) This was not the first time Indian power infrastructure was targeted in a cyberattack. So far has been no long-term infrastructure damage, but attacks against vulnerable power infrastructure which are widespread or occur at critical times have the potential to be disruptive to government, commerce, and daily living. Indian authorities blamed malware for a two-hour long power outage also in Mumbai in October 2020, and later indicated they believed the incident to be the result of deliberate action, according to press reports. The investigation uncovered suspicious logins to servers connected to the power utility network and traced the logins to several countries outside India. (3, 4)
According to its website, Tata Power serves millions of customers across India and has been in the power sector for over one hundred years (2), making it a highly visible and attractive target for attackers who want to leverage a wide attack surface to achieve maximum disruption for their efforts. Cyberattacks against India’s critical infrastructure are well-documented. Recorded Future in February 2021 published a report highlighting intrusion activity against India’s power grid, which it blamed on Chinese actors using a modular backdoor called ShadowPad, which it claimed it increasingly used by China’s People’s Liberation Army (PLA). (5) [For more on how ShadowPad works, check out this report by Sentinel Labs. (6)]
Malware: Recent Deadbolt Ransomware Operations Stymied Though Action by Dutch Police
Deadbolt ransomware, first seen in early 2021, is part of a small subset of malware which specifically searches for and targets vulnerable network-attached storage (NAS) devices inside a network. (8) Deadbolt first targeted storage devices manufactured by Taiwan-based company QNAP, for which patches have been available since early this year. (9) In September of this year, QNAP identified and released patches for an additional vulnerability accessible via Photo Station (cloud storage for photos). (10) Asustor NAS devices were also found to be vulnerable to Deadbolt infections. (11) Like many other cybercriminal operators, Deadbolt’s threat actors demanded payment in cryptocurrency in exchange for the decryption key, (10, 11) forcing victims to choose between paying the ransom or losing access to their backups.
On October 14, Dutch Police announced they successfully obtained more than 150 Deadbolt decryption keys. With help from Responders.NU (who tipped off authorities to a method for retrieving decryption keys) and several other organizations, Dutch authorities were able to submit a Bitcoin payment to the group, retrieve the decryption keys, and then cancel the Bitcoin payment before the transaction went through, helping victims in the Netherlands and a dozen other nations retrieve their data. (12, 13, 15)
This event highlights a few key points, for network defenders, it shows the importance of understanding the ongoing evolution of cybercrime TTPs; in this case, the vulnerability of network-attached backups intended to help recover from a cyberattack. For law enforcement, this case underscores the need to understand the protections and vulnerabilities in cryptocurrency networks, and the value of establishing strong partnerships with outside organizations. Finally, it should encourage victims of cybercrimes to continue to come forward and report thefts to the proper authorities. And not least of all, with threat actors stealing huge cryptocurrency sums in 2021 and 2022 (14) observers should ask about the mechanism used for submitting and then retracting a payment from a system which is supposed to be immutable.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at email@example.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
Please refer to our support page for guidance on how to access the feeds.