A report by Recorded Future in Oct 2020, a Massachusetts-based company, which alleged that a Chinese state-backed entity systematically targeted critical Indian infrastructure installations has brought into sharp focus and turned the spotlight on the grim reality of grey zone battles in recent times. Media reports suggested that the October 2020 power outage in Mumbai and neighbouring areas, which crippled train transportation, closed the stock exchange, and hampered those working from home amidst the pandemic, was sabotage.
The power ministry acknowledged that an email was received from CERT-In on 19th November 2020 on the threat of malware called Shadow Pad at some control centres of POSOCO and action has been taken to address these threats. All systems in control centres were scanned and cleaned by antivirus.
The incident was investigated by the National Critical Information Infrastructure Protection Centre (NCIIPC), which oversees India’ cybersecurity operations in critical sectors. There is a need to analyse the implication of this new threat, identify vulnerabilities and plug the gaps quickly.
The compulsions of geopolitical competition among rival powers in their need to carve out or expand their areas of influence is increasingly being playing out in the space beyond diplomacy and short of conventional war, which is referred to as the grey zone.
The United States Special Operations Command defines grey-zone as “competitive interactions among and within state and non-state actors that fall between the traditional war and peace duality.” A key element of operations within the grey-zone is that they remain below the threshold of an attack, which could have a legitimate conventional military response (jus ad bellum).
The concept of grey zone is not novel and has often been used in the past as a military strategy in proxy wars, low intensity conflicts and sponsoring of non-state players. Although it reflects an age-old approach, however, in recent times the advances in information technology and our growing dependence on IT have created vulnerabilities that are now being targeted by the adversary.
Cyber-attacks, fake news, disinformation, subversion of democratic institutions and destroying social cohesion are the new norm in this grey zone battlefield and is being increasingly used to create new and radical spaces for its expansion.
Nathan Freier, an associate professor of national security studies at the U.S. Army War College’s Strategic Studies Institute, in his article “The Darker Shade of Gray: A New War Unlike Any Other”, suggests that all grey zone strategies include unique combinations of hostile methods within and across instruments of power, traditional domains (air, land, sea, space, cyber), and heavily contested competitive spaces (e.g., electro-magnetic spectrum and strategic influence).
He also emphasises that grey zone adversaries present a menace to convention, in that the character of their competitive methods promises warlike outcomes yet fall short of military provocation and concludes that rival grey zone strategies and approaches “lie between ‘classic’ war and peace, legitimate and illegitimate motives and methods, universal conditions and norms, order and anarchy.”
"The concept of grey zone is not novel and has often been used in the past as a military strategy in proxy wars, low intensity conflicts and sponsoring of non-state players."
While the toolkit for grey zone operations includes information operations, political coercion, economic coercion, cyber operations, proxy support, and provocation by state-controlled forces, this article examines the dimension of cyber operations with specific reference to the vulnerability of critical infrastructure principally power grids to cyber-attacks.
With the increasing dependence on IT, the power generation and distribution network system face new and evolving cybersecurity threats. One of the first publicly acknowledged cyberattack to have caused a grid power outage was in 2015, on distribution utility substations in Ukraine, which shut off power to over 225,000 utility customers for several hours. The cyber attackers are reported to have used the BlackEnergy 2 malware to cause the grid failure.
A second cyberattack in Ukraine in 2016 was reported on an electricity control center in the city of Kiev, shutting down substations, which controlled 200 megawatts of capacity using the malware named “Industroyer” or “Crash Override”. This was reported to be the second known malware specifically designed to disrupt physical systems. The first malware recognized as targeting SCADA (supervisory control and data acquisition) systems was the STUXNET computer worm, which was reported in 2010 to have destroyed centrifuges for uranium enrichment in Iran.
The US Congressional Research Service report in 2018, on Electric Grid Cybersecurity5, highlights the vulnerabilities in the system which are summarised below.
Cyber threats could result in direct attacks aimed at electric grid or other critical infrastructure that could impact the operations or security of the grid. Cyber intrusions on the electric grid have resulted in malware on ICS networks with the capability of causing damage or taking over certain aspects of system control or functionality.
One of the greatest cyber threats to the grid is intrusions focused on manipulating Industrial Control System (ICS) networks. According to the Report, in 2017, the security firm Dragos (which specializes in industrial-control systems) found 163 new security vulnerabilities in industrial control devices, which it classified as typically “insecure-by-design,” since they were located deep within ICS networks. It found that 61% of these vulnerabilities would likely cause a “severe operational impact” if exploited in a cyberattack.
Operational Technology (OT) systems are often used by electric utilities to monitor and control power production processes. While these technologies have been considered air-gapped (i.e., separate from IT systems), modernization of ICS networks has led to OT and IT systems becoming increasingly interconnected.
While a lot of attention has been focused on IT system cybersecurity, this is not always the case for OT networks. OT systems are often directly connected to the Internet, in some cases so that third-party vendors can remotely connect to the system to perform diagnostics and maintenance.
In many of these instances, the OT systems are not protected by a firewall and are outdated, so they lack modern security features that would typically be used to protect an internet-facing connection (e.g. multi-factor authentication, strong passwords, logging, and monitoring).
The human factor is considered by many to be the weakest link in cybersecurity. Many cybersecurity breaches are caused by individuals falling prey to phishing or similar attacks which are used to gain credentials to access utility systems. This was the case in Ukraine, as hackers sent out malware-carrying emails. After links in the emails were opened by legitimate users, hackers acquired the credentials needed to access control and operations systems to cause blackouts at regional distribution utilities.
The report highlights that that the targeted phishing attacks are on the rise against electric utilities in the U.S., Europe, and parts of East Asia with spear-phishing attacks that employ code and infrastructure eerily similar to that used by the so-called Lazarus Group (North Korea based hacking group), the most destructive and outright criminal of the state sponsored hacking gangs.
"The toolkit for grey zone operations includes information operations, political coercion, economic coercion, cyber operations, proxy support, and provocation by state-controlled forces."
With this as a background, let us examine the power outage in Mumbai and try and connect the dots.
Electricity generation and distribution is vital to the commerce and daily functioning of any nation. The National Grid is the high-voltage electricity transmission network in India, connecting power stations and major substations and ensuring that electricity generated anywhere in India can be used to satisfy demand elsewhere.
The National Grid is owned and maintained by state-owned Power Grid Corporation of India and operated by state-owned Power System Operation Corporation. It is one of the largest operational synchronous grids in the world with 371.054 GW of installed power generation capacity as of 30 June 2020. The system is operating through five regional grids, Northern, Eastern, Western, North-eastern, and Southern grids connected synchronously.
Therefore, power grids constitute a prime target for Grey Zone tactics, as it could cause huge financial losses. This is borne out by the fact that this is not the first time India’s critical infrastructure has been in the crosshairs of cyber attackers. Some other high-profile cyberattacks on India' power sector include the ones at state-run Nuclear Power Corp of India Ltd.'s (NPCIL) Kudankulam Nuclear Power Plant (KKNPP), THDC Ltd.'s Tehri dam, West Bengal State Electricity Distribution Co. Ltd, and at Rajasthan and Haryana discoms.
The Recorded Future report explains the details of the attacks against the Indian power sector. It identified the activity through a combination of large-scale automated network traffic analytics and expert analysis. What is germane is that the intrusion activity was undertaken using the PlugX malware C2 infrastructure in the digital space against multiple Indian government, public sector, and defence organizations from at least May 2020. This PlugX intrusion activity gained momentum after the Indian and Chinese troops faced off in May 20.
These were allegedly carried out by RedEcho, a Chinese state-sponsored Threat Actor Group, which allegedly penetrated a total of 12 organizations, including four of India’s five Regional Load Despatch Centres (RLDCs) and two State Load Despatch Centres (SLDCs). These organizations are responsible for ensuring the optimum scheduling and dispatching of electricity based on supply and demand across regions in India.
According to Recorded Future, “The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.”
The energy sector was targeted using ShadowPad, a modular backdoor that has been in use since 2017. ShadowPad is shared among other state-backed threat actor groups who are affiliated with both the Chinese Ministry of State Security (MSS) and the People’s Liberation Army (PLA).
Some of these groups include APT41 (aka Barium, among others), Icefog, KeyBoy (aka Pirate Panda), Tick, and Tonto Team. There is no doubt that the timing of these alleged attacks through sponsored groups lends credence that grey zone warfare will increasingly target power grids, which are susceptible to cyber intrusions.
Even as we try to come to terms with dealing with cyber-attacks on grids, advances in technology have revolutionised how devices interconnect on the internet. IoT (Internet of Things) is the concept of connecting any device (so long as it has an on/off switch) to the Internet and to other connected devices, which results in a giant network of connected devices.
This has raised new concerns about vulnerability of networks, as IoT devices have been increasingly targeted by botnet malware (whereby the hacker takes over the operation of a large number of infected devices) to launch denial-of-service or other cyberattacks.
If such IoT cyberattacks were able to access electric utility ICS networks, they could potentially impair these systems or cause electric power networks to operate based on manipulated conditions or false information. For example, a potential IoT-based attack on residential or commercial thermostats could result in false power demand readings, causing a utility to ramp up power production unnecessarily.
In conclusion, there is no doubt that in the future more such battles will be fought in the Grey Zone as they remain below the threshold of an attack, which could have a legitimate conventional military response. The zone beyond diplomacy and short of conventional war offers disproportionately large dividends compared to investments required in conventional battles. These battles are invariably played out by state-backed threat actor groups who have clandestine links with government agencies.
The toolkit for grey zone operations is constantly being evolved as new vulnerabilities are discovered. Fake news, disinformation, subversion of democratic institutions and destroying social cohesion are already being used as tools of warfare in this grey zone battlefield by rival powers try to settle scores.
Cyber operations and Cyber-attacks against Critical Information Infrastructure Organisations (both public and private) is a reality now. Power grids are critical infrastructure and will be prime target for Grey Zone tactics, as their breakdowns could cause huge financial losses. The need to safeguard them is essential, as they are the backbone to the economic development and growth of a nation.
 Recorded Future is a privately held cybersecurity company founded in 2009 with headquarters in Somerville, Massachusetts. The company specializes in the collection, processing, analysis, and dissemination of threat intelligence by the use of patented machine learning and natural language processing methods to continuously collect and organize data from open web, dark web, and technical sources.
Its recent report details the campaign conducted by a China-linked threat activity group RedEcho targeting the Indian power sector. The report can be accessed at https://www.recordedfuture.com/redecho-targeting-indian-power-sector/
 On 12 October 2020 power outage in Mumbai and neighboring areas, crippled train transportation, closed the stock exchange, and brought Mumbai to a standstill.
 Kapusta, Philip. "The Gray Zone" (https://www.soc.mil/SWCS/SWmag/archive/SW2804/GrayZone.pdf) (PDF). www.soc.mil. United States Special Operations Command.
 Electricity Information Sharing and Analysis Center, Analysis of the Cyber Attack on the Ukrainian Power Grid, March 18, 2016, https://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
 SCADA is supervisory control and data acquisition system which gathers information from remote stations across a utility system to control geographically dispersed assets.
 David Kushner, The Real Story of Stuxnet, IEEE, February 26, p. 2013, https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
 ICS comprises electronic devices, switches, and circuit breakers to regulate and report on the flow of electricity at different parts of the system and help to manage & control power plant, transformer yard and power bus functions, transmission, and distribution substations. Today, widely available software applications and Internet-based devices have been deployed into most ICS, delivering effective and efficient outcomes, but also increasing system vulnerability.
 "Areas of national grid". Retrieved 19 October 2016. http://www.iexindia.com/bidareas.aspx?id=31&mid=2
 "All India Installed Capacity of Utility Power Stations" (PDF). Retrieved 10 July 2020. http://cea.nic.in/reports/monthly/installedcapacity/2020/installed_capacity-06.pdf
 A 2015 report from the University of Cambridge and Lloyds of London, estimates that a targeted cyberattack could leave 15 states and 93 million people from New York City to Washington, DC, without power. The scenario estimated the total impact to the U.S. economy at between $243 billion and $1 trillion, resulting from “direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to the supply chain”. http://www.nap.edu/catalog/12050/terrorism-and-the-electric-power-delivery-system
 The PlugX malware family is well known to researchers, with samples dating back to as early as 2008, according to researchers at Trend Micro. PlugX is a fully featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote cmd.exe shell. For a detailed account of how PlugX works see https://logrhythm.com/blog/deep-dive-into-plugx-malware/
About the Author
Commodore BR Prakash is a specialist in Missile and Gunnery warfare and was the Gunnery Officer and Surface to Air Missile officer of number naval ships including Rajput, Ranvir, Prabal, Charag. He has commanded INS Ganga, INS Vidyut and was Executive Officer and Principle Warfare officer of INS Gomati and INS Kirpan. He has also served as Joint Director at Naval Headquarters and at Indian Naval Tactical Evaluation Group Mumbai.
He was Commissioning Commanding Officer of INS Sardar Patel. He was deputed to Israel for the joint development of the Long Range Surface to Air Missile System in collaboration with Israeli Aerospace Industries later installed and successfully tested on the Kolkata class Destroyers. He is an alumnus of Training Ship Rajendra, Indian Naval Academy and the Defence Services Staff College. He also holds an MSc degree in Applied Psychology and MSc in Defence Studies.
(Views expressed are the author's own and do not neccessarily reflect the editorial policy of Mission Victory India)