Live Active security incident? Get immediate response
MITRE ATT&CK® Campaign

C0043: Indian Critical Infrastructure Intrusions

Indian Critical Infrastructure Intrusions is a sequence of intrusions from 2021 through early 2022 linked to People’s Republic of China (PRC) threat actors, particularly RedEcho and Threat Activity Group 38 (TAG38). The intrusions appear focused on IT system breach in Indian electric utility entities and logistics firms, as well as potentially managed service providers operating within India. Although focused on OT-operating entities, there is no evidence this campaign was able to progress beyond IT breach and information gathering to OT environment access.[1][2]

EnterpriseC0043CampaignObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This campaign matters because it shows how intrusions against organizations that operate critical infrastructure can create serious business and national-resilience concern even when ATT&CK notes no evidence of progression into OT access. For executives, the practical issue is whether IT compromise, information gathering, and command-and-control activity could expose utility, logistics, or managed-service-provider environments to operational risk, regulatory scrutiny, and difficult incident decisions.

Executive priority

Prioritize this as a readiness and evidence question: can the organization prove separation and monitoring between IT, perimeter/network devices, managed service access, and any OT-adjacent operations? The supplied ATT&CK context highlights Indian electric utility entities, logistics firms, and potentially managed service providers, so leaders should validate incident response playbooks, third-party access governance, and network boundary controls before an intrusion forces urgent decisions about containment and continuity.

Technical view

SOC, detection engineering, and IR teams should treat the campaign relationships as validation inputs rather than as guaranteed coverage. ATT&CK links the campaign to ShadowPad and FRP and to command-and-control/resource-development behaviors including web protocols, dynamic resolution, non-standard ports, asymmetric cryptography, domains, compromised infrastructure, digital certificates, and network boundary bridging. Validate visibility across egress traffic, DNS/domain resolution, TLS certificate metadata, proxy or tunnel-like behavior, unusual port/protocol pairings, and network-device or segmentation-control changes. Because the campaign object has no official detection text and no campaign-level platforms, local telemetry and architecture determine what can actually be detected.

Likely telemetry

  • Network egress logs, proxy logs, firewall logs, and NetFlow-style records for command-and-control patterns
  • DNS query and domain-resolution telemetry for dynamic or suspicious infrastructure use
  • TLS/SSL certificate metadata and encrypted-session characteristics
  • Endpoint telemetry on Windows, Linux, macOS, ESXi, and network devices where relevant to the related techniques and software
  • Network device configuration, routing, firewall, and segmentation-change logs

Detection direction

  • Confirm whether monitoring can identify web-protocol command-and-control without relying only on destination reputation.
  • Tune analytics for protocol and port mismatches, especially where HTTP/S-like traffic appears on non-standard ports.
  • Review DNS and domain telemetry for dynamic resolution patterns and recently observed infrastructure changes, while accounting for legitimate cloud and CDN behavior.
  • Hunt for FRP-like reverse proxy or tunneling behavior using network flow, process, and service telemetry where available.
  • Review detections for ShadowPad-related activity only where supporting endpoint and network evidence exists; do not assume platform coverage from the campaign object alone.

Mitigation priorities

  • Strengthen segmentation and monitoring between enterprise IT, network boundary devices, third-party access paths, and OT-adjacent environments.
  • Restrict and review outbound connectivity, especially non-standard ports and unapproved proxy/tunnel tools.
  • Harden and monitor perimeter and internal network devices that enforce routing, firewalling, and segmentation policy.
  • Maintain asset and access inventories for utilities, logistics operations, and managed-service-provider connections where applicable.
  • Improve certificate, DNS, and domain governance so suspicious infrastructure use can be investigated quickly.
Analyst notes and limits

The ATT&CK object describes a 2021 through early 2022 sequence of intrusions linked to PRC threat actors, particularly RedEcho and TAG38, focused on IT system breach and information gathering against Indian electric utility entities, logistics firms, and potentially managed service providers. ATT&CK explicitly states there is no evidence the campaign progressed beyond IT breach and information gathering to OT environment access. The most useful defensive value is validating visibility and control over IT-to-boundary-to-OT-adjacent pathways rather than assuming operational technology compromise.

Official detection is not provided, campaign-level platforms and tactics are not specified, and the object does not establish current activity or local exposure. Related techniques and software provide defensive hunting context, but organizations need their own telemetry, asset inventory, and incident evidence to determine relevance and coverage.

Official MITRE ATT&CK definition

Indian Critical Infrastructure Intrusions

Indian Critical Infrastructure Intrusions is a sequence of intrusions from 2021 through early 2022 linked to People’s Republic of China (PRC) threat actors, particularly RedEcho and Threat Activity Group 38 (TAG38). The intrusions appear focused on IT system breach in Indian electric utility entities and logistics firms, as well as potentially managed service providers operating within India. Although focused on OT-operating entities, there is no evidence this campaign was able to progress beyond IT breach and information gathering to OT environment access.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1584 Compromise Infrastructure

Indian Critical Infrastructure Intrusions included the use of compromised infrastructure, such as DVR and IP camera devices, for command and control purposes in ShadowPad activity.CitationRecordedFuture RedEcho 2022
Enterprise T1583.001 Domains Sub-technique

During Indian Critical Infrastructure Intrusions, RedEcho registered domains spoofing Indian critical infrastructure entities.CitationRecordedFuture RedEcho 2021
Enterprise T1588.004 Digital Certificates Sub-technique

Indian Critical Infrastructure Intrusions included the use of digital certificates spoofing Microsoft.CitationRecordedFuture RedEcho 2022
Enterprise T1071.001 Web Protocols Sub-technique

During Indian Critical Infrastructure Intrusions, RedEcho network activity included SSL traffic over TCP 443 and HTTP traffic over non-standard ports.CitationRecordedFuture RedEcho 2021
Enterprise T1568 Dynamic Resolution

During Indian Critical Infrastructure Intrusions, RedEcho used dynamic DNS domains associated with malicious infrastructure.CitationRecordedFuture RedEcho 2021
Enterprise T1599 Network Boundary Bridging

Indian Critical Infrastructure Intrusions involved the use of FRP to bridge network boundaries and overcome NAT.CitationRecordedFuture RedEcho 2022 Indian Critical Infrastructure Intrusions also involved the use of VPN tunnels with a potentially compromised MSP entity allowing for direct access to critical infrastructure entity networks.CitationDragos YIR 2021
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

During Indian Critical Infrastructure Intrusions, RedEcho used SSL for network communication.CitationRecordedFuture RedEcho 2021
Enterprise T1571 Non-Standard Port

During Indian Critical Infrastructure Intrusions, RedEcho used non-standard ports such as TCP 8080 for HTTP communication.CitationRecordedFuture RedEcho 2021
Associated objects

Groups, software, and campaigns

Tool Enterprise

S1144: FRP

FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[1][2][3][4]

LinuxmacOSWindows
Malware Enterprise

S0596: ShadowPad

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. [1][2][3]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1584: Compromise Infrastructure Enterprise uses · Tool S1144: FRP Enterprise uses · Technique T1583.001: Domains Enterprise uses · Technique T1588.004: Digital Certificates Enterprise uses · Malware S0596: ShadowPad Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1568: Dynamic Resolution Enterprise uses · Technique T1599: Network Boundary Bridging Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1571: Non-Standard Port Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
47d26069ee8b9a70...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 47d26069ee8b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    RecordedFuture RedEcho 2021

    Recorded Future Insikt Group. (2021, February). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved November 21, 2024.

    Open source URL
  2. [2]
    RecordedFuture RedEcho 2022

    Recorded Future Insikt Group. (2022, April 6). Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group. Retrieved November 21, 2024.

    Open source URL
  3. [3]
    mitre-attack C0043
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use