30 March 2021

China-linked RedEcho APT takes down part of its domain infrastructure


China-linked RedEcho APT takes down part of its domain infrastructure

RedEcho, a threat actor believed to be working on behalf of the Chinese government, has taken down part of its command and control (C2) infrastructure after security researchers exposed its activities aimed at critical infrastructure operators in India.

At the end of February 2021, Recorded Future’s Insikt Group published a report detailing a cyber-espionage campaign targeting Indian power sector organizations. According to the researchers, at least 10 organizations were targeted in this campaign, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, as well as 2 Indian seaports.

As relations between India and China have deteriorated significantly following border clashes in May 2020, the number of attacks against India from suspected Chinese hacker groups also increased, Insikt Group pointed out.

“From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector…we have determined that a subset of these AXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups, including APT41 and Tonto Team,” the researchers said.

However, despite overlaps with APT41 and Tonto Team, Recorded Future believes that RedEcho is “a closely related but distinct activity group.”

Less than two weeks after the publication of the report, the researchers noticed that the threat actor had taken down part of its domain infrastructure, more specifically, web domains the group previously used to control ShadowPad malware inside the hacked Indian power grid and exposed by Recorded Future.

“The most recently identified victim communications with RedEcho infrastructure was from an Indian IP address on March 11, 2021 to the RedEcho IP 210.92.18[.]132,” Insikt told The Record website.

“This is likely due to a combination of defensive measures taken by targeted organizations to block published network indicators and the aforementioned steps taken by the group to move away from publicized infrastructure.”

Back to the list

Latest Posts

Chinese hackers reportedly behind hundreds cyber attacks in Japan

Chinese hackers reportedly behind hundreds cyber attacks in Japan

The attacks targeted nearly 200 companies and organizations in Japan, including the country's space agency and defence firms.
20 April 2021
Lazarus APT has found a clever way to conceal its malicious code

Lazarus APT has found a clever way to conceal its malicious code

The hacker group is now using BMP images to drop its RAT.
20 April 2021
Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Hackers have used Bash Uploader to gain access to hundreds of networks belonging to the company’s customers.
20 April 2021