RedEcho

Overview

RedEcho is a threat activity group designation created by Recorded Future's Insikt Group in February 2021 to track a cluster of intrusion activity targeting India's critical power infrastructure. The name was assigned because, despite clear overlaps with known Chinese state-sponsored actors — particularly APT41 (Barium) and Tonto Team — Insikt Group concluded there was insufficient technical evidence at the time of publication to formally merge this activity with any existing named group. RedEcho was therefore tracked as a closely related but distinct cluster sharing infrastructure, tools, and operational patterns with other confirmed Chinese government-linked actors.

The campaign was identified through large-scale automated network traffic analysis and adversary infrastructure fingerprinting. Recorded Future's midpoint collection detected a steep rise from mid-2020 onward in the use of infrastructure it calls AXIOMATICASYMPTOTE — a family of ShadowPad command-and-control servers identifiable by distinct HTTP header characteristics. These servers were communicating with IP addresses resolving to Indian power sector assets at high volume and frequency over an extended period, consistent with active intrusion rather than opportunistic scanning.

What makes RedEcho strategically significant is not its technical sophistication but its targeting logic. The organizations compromised — Regional Load Despatch Centres (RLDCs), State Load Despatch Centres (SLDCs), high-voltage substations, thermal power plants, and maritime ports — hold minimal value for conventional espionage. They do not process financial data, military secrets, or diplomatic communications. Recorded Future assessed the goal as pre-positioning: gaining and maintaining persistent access within systems that control the operational real-time functioning of India's national power grid, so that access could be activated for disruption, deterrence signaling, or leverage during future conflict scenarios tied to the ongoing India-China territorial dispute along the Line of Actual Control in Ladakh.

The timing of the campaign was directly correlated with the deterioration of India-China relations following the June 2020 border skirmishes in the Galwan Valley, which resulted in the first combat deaths between the two nations in 45 years. Recorded Future observed a noticeable increase in PlugX malware C2 provisioning in the lead-up to the May 2020 skirmishes, with subsequent ShadowPad-based intrusions into power sector targets accelerating through the second half of 2020. Following Insikt Group's February 2021 disclosure, RedEcho took down part of its C2 domain infrastructure — a response assessed as indicating the group had been actively monitoring security reporting about its own operations.

Subsequent Recorded Future reporting in April 2022 identified a related cluster designated TAG-38, targeting at least seven Indian SLDCs concentrated in North India near the Ladakh border using ShadowPad and the open-source tool FastReverseProxy (FRP), with C2 routed through hijacked internet-facing DVR and IP camera devices. TAG-38 also compromised a national emergency response system and the Indian subsidiary of a multinational logistics company. Recorded Future assessed this continued targeting as confirmation that compromising India's electrical dispatch infrastructure is a long-term strategic priority for Chinese state-linked actors, not an opportunistic or time-limited campaign.

Target Profile

RedEcho's targeting is tightly scoped to India's critical power infrastructure and, secondarily, its maritime sector. The selection of targets reflects a deliberate focus on organizations controlling the operational integrity of the national grid rather than organizations that hold intelligence value through data.

• Regional Load Despatch Centres (RLDCs): The highest-value targets. RLDCs are responsible for the real-time integrated operation of India's power grid across regions, balancing electricity supply and demand to maintain stable grid frequency. RedEcho targeted 4 of India's 5 RLDCs, including those responsible for Western, Southern, Northeastern, and Eastern grid regions.
• State Load Despatch Centres (SLDCs): State-level equivalents of RLDCs, responsible for grid control and electricity dispatch within individual states. Delhi and Telangana SLDCs were identified in the original RedEcho campaign; the TAG-38 follow-on campaign targeted at least 7 SLDCs concentrated in North India near the Ladakh border region.
• Power Generation Assets: At least one large coal-fired thermal power plant and one high-voltage transmission substation were identified among RedEcho's victim organizations, alongside the Power System Operation Corporation Limited (POSOCO), which coordinates national grid operations.
• Maritime Ports: Mumbai Port Trust and V.O. Chidambaranar Port (formerly Tuticorin Port, Tamil Nadu) were identified as RedEcho targets — both classified as critical infrastructure under India's National Critical Information Infrastructure Protection Centre (NCIIPC).
• Emergency Response and Logistics: The TAG-38 campaign — a closely related successor cluster — additionally compromised a national emergency response system and the Indian subsidiary of a multinational logistics company, suggesting an expansion of the pre-positioning scope beyond power grid assets alone.

Tactics, Techniques & Procedures

Documented TTPs based on Recorded Future's Insikt Group reporting and related public disclosures from the 2020–2022 campaign window.

mitre id	technique	description
T1071.001	Web Protocols for C2	ShadowPad infections communicated with AXIOMATICASYMPTOTE C2 servers over standard HTTP/S. Servers are fingerprinted by distinct HTTP header response characteristics. C2 traffic blended with regular web traffic to avoid network-layer detection.
T1090.003	Multi-hop Proxy	TAG-38 (closely related successor cluster) used hijacked internet-facing DVR and IP camera devices as intermediate proxy nodes for ShadowPad C2 communications. FastReverseProxy (FRP) was also deployed to tunnel traffic through legitimate-appearing infrastructure.
T1505	Server Software Component	ShadowPad operates as a modular backdoor with a plugin architecture, enabling the operator to extend functionality post-compromise. The modular design allows capability customization for specific operational requirements inside victim environments.
T1583.001	Domain Acquisition	RedEcho registered and maintained web domains to serve as ShadowPad C2 infrastructure. Following public disclosure in February 2021, the group parked these domains — moving to alternative infrastructure rather than abandoning operations entirely.
T1078	Valid Accounts	The operational dwell time within victim networks — sustained high-volume traffic observed over months — is consistent with the use of legitimate credentials or persistent implants that do not require repeated exploitation to maintain access.
T1560	Archive Collected Data	Recorded Future detected at least 1.29 MB of data transferred from a victim IP address to RedEcho infrastructure on December 30, 2020, consistent with staged data collection or configuration exfiltration from the compromised network.
T1588.001	Malware (Shared Tool)	ShadowPad is a privately shared modular backdoor distributed among at least five distinct Chinese state-sponsored groups affiliated with both the MSS and PLA. RedEcho's use of ShadowPad via AXIOMATICASYMPTOTE infrastructure is what linked the activity cluster to Chinese state actors.
T1566	Phishing (Initial Access)	PlugX malware C2 provisioning was observed increasing in the lead-up to the May 2020 border skirmishes, with subsequent PlugX activity targeting Indian government, public sector, and defense organizations providing a likely initial access vector that preceded the ShadowPad-focused power grid campaign.

Known Campaigns

Confirmed activity clusters attributed to RedEcho and its closely related successor designations.

Tools & Malware

Tools confirmed or assessed to be used by RedEcho and closely associated activity clusters, based on Insikt Group and third-party reporting.

• ShadowPad: A privately distributed modular backdoor considered the successor to PlugX. ShadowPad uses an encrypted plugin architecture enabling operators to customize its capabilities post-deployment. It has been in use since 2017 and is shared among at least five distinct Chinese state-sponsored groups affiliated with the MSS and PLA, making it a reliable indicator of Chinese state-linked activity without implying a specific group. RedEcho deployed ShadowPad via AXIOMATICASYMPTOTE C2 infrastructure against all confirmed power sector victims.
• PlugX (Korplug): A long-used modular RAT widely attributed to multiple Chinese state-sponsored actors. Recorded Future observed increased PlugX C2 provisioning preceding the main ShadowPad campaign, with PlugX-based intrusions targeting Indian government, defense, and public sector entities from May 2020 onward as part of the broader campaign escalation.
• FastReverseProxy (FRP): An open-source tool used by TAG-38 to tunnel C2 traffic through compromised DVR and IP camera devices. FRP facilitates proxy chaining to obscure the origin of C2 communications and to route traffic through devices that appear legitimate on network monitoring tools.
• AXIOMATICASYMPTOTE Infrastructure: Recorded Future's designation for the family of ShadowPad C2 servers used across multiple Chinese state-sponsored groups. Servers are fingerprinted by unique HTTP header response characteristics. The detection of AXIOMATICASYMPTOTE servers communicating with Indian power sector IPs was the primary technical signal enabling identification of the RedEcho campaign.

Indicators of Compromise

Publicly disclosed IOCs from Insikt Group reporting. These indicators are from 2020–2022 campaign windows and should be treated as potentially stale — RedEcho infrastructure rotated following public disclosure in March 2021.

Mitigation & Defense

Recommended defensive measures for operators of critical power infrastructure and related national systems, informed by RedEcho's documented tradecraft.

• Network Traffic Baselining for Operational Technology Environments: RedEcho was detected through sustained anomalous outbound traffic from power sector assets to external infrastructure. Implement network traffic baselining on all OT and ICS networks. Any sustained high-volume communication from grid control systems to external internet addresses should trigger immediate investigation.
• ShadowPad Detection Signatures: Deploy detection rules for ShadowPad's known behavioral characteristics including its plugin loading mechanism, encrypted C2 communication patterns, and mutex strings. ShadowPad is shared across multiple Chinese state-sponsored groups — its presence in any critical infrastructure network warrants immediate escalation regardless of specific group attribution.
• DVR and IP Camera Hardening: TAG-38 routed C2 through compromised internet-facing DVR and IP camera devices. Audit all internet-exposed IoT and CCTV infrastructure connected to or adjacent to critical systems. Apply firmware updates, change default credentials, and where possible restrict external connectivity for surveillance devices.
• FastReverseProxy Detection: FRP leaves identifiable network signatures. Monitor for FRP usage patterns in network telemetry, particularly on networks hosting critical infrastructure. FRP is a legitimate tool with known legitimate uses, but its presence in power sector environments warrants investigation.
• AXIOMATICASYMPTOTE IP Block Lists: Consult Recorded Future's published IOC lists and current threat intelligence feeds for active AXIOMATICASYMPTOTE server IP ranges. Block outbound connections to known ShadowPad C2 server families at perimeter firewalls, particularly on networks hosting load despatch and generation control systems.
• Air-Gap Review for Critical Grid Control Systems: RLDCs and SLDCs control real-time national grid operations. Organizations should review whether these systems have necessary internet connectivity or whether that connectivity can be reduced or isolated without compromising operational requirements.
• Geopolitical Threat Elevation Protocols: RedEcho activity surged in direct correlation with the India-China border crisis in 2020. Critical infrastructure operators should maintain elevated threat monitoring protocols during periods of heightened India-China geopolitical tension, implementing additional controls and review cycles when bilateral relations deteriorate.
• Incident Response Coordination with NCIIPC and CERT-In: Recorded Future engaged with Indian government authorities prior to publication. NCIIPC and CERT-In are the designated national bodies for critical information infrastructure protection and incident response respectively. Ensure reporting channels to both bodies are current and exercised.

Sources & Further Reading

Attribution and references used to build this profile.

• Recorded Future / Insikt Group — China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions (Feb 2021)
• Recorded Future / Insikt Group — Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (Apr 2022)
• TechTarget — Chinese Threat Group RedEcho Targeting Indian Power Grid (2021)
• Malwarebytes — China's RedEcho Accused of Targeting India's Power Grids (2021)
• Security Affairs — China-Linked RedEcho APT Took Down Part of Its C2 Domains (2021)
• The Record — Suspected China-Backed Hackers Target 7 Indian Electricity Grid Centers (2022)
• Industrial Cyber — Recorded Future Reports Continued Targeting of Indian Power Grid Assets (2022)
• CSO Online — RedEcho: A Glitch in India's Power Grid (2021)