RedEcho
Description
(Recorded Future) Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups. From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector. 10 distinct Indian power sector organizations, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other targets identified included 2 Indian seaports.
Using a combination of proactive adversary infrastructure detections, domain analysis, and Recorded Future Network Traffic Analysis, we have determined that a subset of these AXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups, including APT 41 and Tonto Team, HartBeat, Karma Panda.
Despite some overlaps with previous groups, Insikt Group does not currently believe there is enough evidence to firmly attribute the activity in this particular campaign to an existing public group and therefore continue to track it as a closely related but distinct activity group, RedEcho.
Also see TAG-38.
Names
| Name | Name-Giver |
|---|---|
| RedEcho | Recorded Future |
Country
Sponsor
State-sponsored
Motivation
- Information theft and espionage
First Seen
2020
Observed Sectors
Observed Countries
Tools
Information
- https://go.recordedfuture.com/redecho-insikt-group-report
- https://therecord.media/redecho-group-parks-domains-after-public-exposure/
Other Information
Uuid
660f5bfa-d726-4935-a2be-7efa6ed8a366
Last Card Change
2022-04-08