There’s a new @nytimes article out on a @RecordedFuture report coming out tomorrow ok potential Chinese activity targeting Indian electric sites. I’ll hold broad thoughts for the report to drop where I can dig in but a few initial thoughts: nytimes.com/2021/02/28/us/…
First, it’d be no surprise to find that between two states that have conflict (and with some skirmishes bordering on going larger) that there would be targeting of critical national infrastructure such as the electric system (power grid). So the claim seems very reasonable
Interestingly, the NYT writes: “Now, a new study lends weight to the idea that those two events may well have been connected” referring to a power outage last year in India. But what’s interesting is the RF analysts don’t seem to say that noting instead a link is unsubstantiated 
It seems the NYT is just offering a potential link but the analysts don’t support it. Not critiquing any party involved but kudos to the analysts for sticking to their point that what they found was interesting and targeted but chose not to speculate further.
The RF analysts were also seemingly transparent that they aren’t doing incident response or have access to the internal networks of the company but are using their collection and in it the targeting of load dispatching is unique enough to consider targeted
Essentially the RF analysts are saying that they’re tracking an adversary and its infrastructure and capability and have found unique victimology in their collection that’s specific and assessing targeting towards Indian load dispatch centers.
I’m looking forward to the technical report but so far it seems they’re being very reasonable and professional here. They notified the Indian CERT, they’re sharing their findings, not claiming it was related to the power outage, but noted it’s targeted to electric systems
I really like that they acknowledge their collection gaps and what they don’t know while sticking to their assessment - and not being led into theorizing or getting into things their analysis didn’t touch. Seems very solid. I like their team so I’m glad to see this
For any more “what does this all mean” we’ll have to wait for the report to drop tomorrow but generally it sounds they found technical evidence to support an assessment of targeting of electric systems in India which fits what we’d expect and could be useful in finding more
For all my colleagues in electric power there’s nothing here that would say any power outage was the result of a cyber attack or anything like that and if RF had any “imminent” risk type intel they’d have shared it. Looks isolated. So rest easy and just read the report tomorrow
Actually looks like they went ahead and released the report tonight: go.recordedfuture.com/hubfs/reports/…
Yea their report keeps to the points they made in NYT. Basically making the assessment that they saw a unique cluster of malware (ShadowPad) and C2 servers (noting the way the C2 servers were done not just ShadowPad + C2) target 10 Indian electric power entities
They’re also fairly transparent with everything they’ve done. They note why they came to their conclusions, release the technical details they have, note collection gaps, no alarmism or unsupported claims, etc. It’s a well done report.
I suspect some folks are going to ding them for a few things; they note .com as a shared TLD as an example as being important. Or use of TLS. But I would disagree with any critique on that. Alone sure its not much but they didn’t present it alone. They presented multiple findings
Their will always be data and observations that alone look stupid. But intel analysts take and synthesize a lot of things together. One data point in isolation is almost always bad, as part of an overall story they all have their place. So I’d have done the same
Also I love that they noted there’s strong links to APT41 but don’t have enough insight to say this activity is APT41. That’s perfect. RF, and most, generally wouldn’t know the ins and outs of the APT41 definition. But they are saying yes there is a link and others are tracking
Anyway overall I like that they chose to make the assessment they did because their collection and analysts supported it, not be hyperbolic, and then offered data out for others to use and expand on while linking to other known activity. Kudos RF team
• • •
Missing some Tweet in this thread? You can try to
force a refresh
