RedEcho, a threat actor believed to be working on behalf of the Chinese government, has taken down part of its command and control (C2) infrastructure after security researchers exposed its activities aimed at critical infrastructure operators in India.

At the end of February 2021, Recorded Future’s Insikt Group published a report detailing a cyber-espionage campaign targeting Indian power sector organizations. According to the researchers, at least 10 organizations were targeted in this campaign, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, as well as 2 Indian seaports.

As relations between India and China have deteriorated significantly following border clashes in May 2020, the number of attacks against India from suspected Chinese hacker groups also increased, Insikt Group pointed out.

“From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector…we have determined that a subset of these AXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups, including APT41 and Tonto Team,” the researchers said.

However, despite overlaps with APT41 and Tonto Team, Recorded Future believes that RedEcho is “a closely related but distinct activity group.”

Less than two weeks after the publication of the report, the researchers noticed that the threat actor had taken down part of its domain infrastructure, more specifically, web domains the group previously used to control ShadowPad malware inside the hacked Indian power grid and exposed by Recorded Future.

“The most recently identified victim communications with RedEcho infrastructure was from an Indian IP address on March 11, 2021 to the RedEcho IP 210.92.18[.]132,” Insikt told The Record website.

“This is likely due to a combination of defensive measures taken by targeted organizations to block published network indicators and the aforementioned steps taken by the group to move away from publicized infrastructure.”