>samit_hota
Back to adversary profiles
G1042HighActive

RedEcho: China-Linked Threat Actor Targeting Indian Critical Infrastructure

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Strategic Pre-positioning
Aliases
None documented
Target Sectors
Energy (power generation and transmission), Maritime, Government, Public Sector, Defense
Associated Malware
ShadowPad, PlugX, Winnti
#threat-actor#g1042

Overview

RedEcho, tracked by MITRE ATT&CK as G1042, is a sophisticated threat actor associated with the People’s Republic of China. This group has been consistently linked to long-running intrusions targeting critical infrastructure entities within India, with activity observed as far back as early 2020. While sharing infrastructure and some tactics with other well-known PRC-linked groups such as APT41 and Tonto Team, RedEcho is considered a distinct activity cluster by some researchers due to specific observed campaign characteristics. Their operations appear primarily motivated by strategic pre-positioning and espionage, rather than direct financial gain, aiming to support broader Chinese strategic objectives, especially in the context of heightened bilateral tensions between India and China.

The group’s targeting strategy has predominantly focused on India’s energy and maritime sectors, including crucial power generation and transmission organizations. This selective targeting suggests a calculated effort to gain access to systems that could be leveraged for geostrategic signaling, influence operations, or as a precursor to potential kinetic escalation.

Tactics & Techniques

RedEcho employs a range of tactics, techniques, and procedures (TTPs) indicative of a well-resourced and persistent state-sponsored adversary. A key technique involves registering domains that spoof legitimate Indian critical infrastructure entities, which are then used as part of their command and control (C2) infrastructure. They leverage infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad C2 servers, to facilitate their operations.

For network communication, RedEcho utilizes SSL traffic over TCP 443 and HTTP traffic over non-standard ports, such as TCP 8080. They have also been observed using dynamic DNS domains for their malicious infrastructure and employing SSL for encrypted communications. In some instances, intrusions have involved the use of compromised infrastructure, including DVR and IP camera devices, for C2 purposes in ShadowPad activity. The group has also used FRP (Fast Reverse Proxy) to bridge network boundaries and overcome Network Address Translation (NAT), and has established VPN tunnels, potentially through compromised Managed Service Providers (MSPs), to gain direct access to critical infrastructure networks. Digital certificates spoofing Microsoft have also been noted in their campaigns. These methods demonstrate a clear focus on stealth, persistence, and the ability to bypass network defenses.

Notable Campaigns

RedEcho gained significant public attention in early 2021 when cybersecurity firm Recorded Future detailed a campaign targeting India’s power sector. This activity, which began in mid-2020, coincided with heightened border tensions between India and China. The campaign identified RedEcho targeting at least 10 distinct Indian power sector organizations, including four of the five Regional Load Despatch Centres (RLDCs) and two State Load Despatch Centres (SLDCs) responsible for managing India’s power grid. Additionally, two Indian seaports were identified as targets.

While primarily focused on IT system breaches and information gathering, these intrusions posed significant concerns over the potential for pre-positioning network access for future disruptive actions. The timing and nature of these attacks suggest a direct correlation with geopolitical developments, serving as a form of strategic signaling.

Following public exposure of their activities in February 2021, RedEcho was observed taking down parts of its attack infrastructure, including web domains used to control ShadowPad malware. However, this action is typical for sophisticated APT groups, often indicating a shift to new infrastructure rather than a cessation of operations. Subsequent reporting in 2022 indicated continued targeting of Indian power grid assets by China-linked adversaries, with some activity clustered under a new temporary group name, Threat Activity Group 38 (TAG38), which shares consistencies with previous RedEcho operations, though direct attribution to RedEcho was not firmly established at that time.

Associated Malware & Tools

RedEcho is strongly linked to the use of the ShadowPad malware. ShadowPad is a modular backdoor that has been in use since at least 2017 and is a preferred tool among several Chinese espionage actors. It allows threat actors to download additional malicious modules or exfiltrate sensitive information. ShadowPad operates by decrypting and loading a Root plugin in memory, which then loads other embedded modules and can dynamically deploy additional plugins from a remote C2 server, enabling extended functionality. Its adoption significantly reduces development and maintenance costs for threat actors. The widespread use of ShadowPad across multiple Chinese state-sponsored groups, including those linked to the Chinese Ministry of State Security (MSS) and the People’s Liberation Army (PLA), highlights its effectiveness and shared resource model within the PRC cyber ecosystem.

Another malware observed in RedEcho’s toolkit, particularly in the lead-up to border skirmishes in May 2020, is PlugX. PlugX is another well-known backdoor associated with Chinese APT groups. The group deployed PlugX and ShadowPad as backdoor malware, ensuring persistent access to breached systems. Additionally, some sources mention Winnti as an associated tool, given overlaps in TTPs with groups known to use it.

Current Status

RedEcho is considered an Active threat. While the group may adjust its infrastructure and TTPs in response to public disclosures, its underlying mission and capabilities remain consistent. Reports from early 2022 by Recorded Future indicate continued targeting of Indian power grid organizations by China-linked adversaries, frequently employing ShadowPad, following a brief lull after the initial RedEcho reporting. Although subsequent activity sometimes receives different tracking names like TAG-38, the persistent focus on Indian critical infrastructure, particularly the power sector, and the continued use of common tools like ShadowPad, demonstrate an ongoing and strategic cyber espionage effort originating from China against India. This sustained activity underscores the critical need for robust cybersecurity measures within the targeted sectors.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call