Skip to content

China attacks 7 Indian power grid assets in Ladakh

  • by
  • 2 min read

At least seven State Load Dispatch Centers close to the Indo-China border in Ladakh have been found to be targetted by a suspected Chinese state-sponsored threat group called TAG-38. 

These SLDCs conduct real-time operations for grid control and electricity dispatch and hence are critical infrastructure in the region. The attack is believed to have started by the infiltration of internet-facing third-party devices like IP cameras that may have been vulnerable due to them having default credentials. 

In addition to attacking the power grids, the operation also impacted a national emergency response team and the Indian branch of a logistics company. The operation used a trojan called ShadowPad which is believed to have links to contractors working with the Chinese Ministry of State Security. 

In the News: ProtonMail has a new domain,

Dragon in the valley

Cybersecurity firm Recorded Future’s Insikt group reported that the targeting has been geographically concentrated and one of these SLDCs has been previously targeted in 2020 in an incident the group labelled RedEcho and attributed to China as well. 

However, since the targeting was prolonged, the main objective of the hack is believed to gather information about critical infrastructure, which could be later used to gain access to a system and take possibly disruptive actions in the future.

A graphic explaining TAG-38 activity on India SLDCs. | Source: Recorded Future.

Recorded Future reported discovering a Command and Control (C2) infrastructure targeting critical infrastructure in Ladakh for months. This infrastructure involves the hacked DVR/IP cameras and uses Fast Reverse Proxy’s open-source tool. The firm also found that identified C2s share a unique SSL certificate spoofing Microsoft. The certificate has multiple links to wider Chinese state-sponsored cyber espionage activity. 

The use of ShadowPad across Chinese threat groups is growing over time. At this time, the Insikt group is tracking at least 10 different activity groups with access to ShadowPad, a software developed and used by MSS-linked contractors linked to the APT41 intrusion set. 

In the News: 6 VMware products are vulnerable to 10 critical bugs; patch issued

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: