Threat group RedFly targets Asian nation’s power grid

Threat Group RedFly is possibly linked to Chinese government, attacked an Asian Nation’s Power Grid. A recent surge in attacks on critical infrastructure has raised alarms in many countries.

 Cable, Utility Pole, Power Lines, Electric Transmission Tower, Outdoors, Windmill, Nature, Scenery

In a recent cybersecurity report by Symantec, an undisclosed Asian nation’s power grid was revealed as the target of a cyberattack earlier this year. The attackers employed a malware strain commonly associated with entities linked to the Chinese government. Although the cybersecurity firm Symantec stopped short of directly attributing the incident to China, it pointed to a notorious group known as RedFly. This group managed to infiltrate the power grid’s network for an extended period, lasting up to six months, during which they stole critical credentials and targeted multiple computer systems.

The malware used in the attack, known as ShadowPad, has previously been associated with another hacking group, APT41, which researchers have tied to China’s Ministry of State Security and the People’s Liberation Army. ShadowPad first surfaced in 2017, and it has become a favoured tool for various China-linked groups engaged in cyberespionage.

The attack started on 28 February when the hackers introduced ShadowPad into a single computer within the network. Remarkably, this malware resurfaced on 17 May, indicating that the intruders had maintained their access to the system for more than three months.

Over the subsequent week, the hackers diligently expanded their access to storage devices, gathered system credentials, and took measures to cover their tracks. Notably, they employed a legitimate Windows application, oleview.exe, to gain deeper insights into the victim’s network and move laterally within it.

While Symantec has not observed RedFly engaging in disruptive offensive actions, the possibility remains, given the history of such attacks in other regions. The ShadowPad malware has been employed in cyberattacks against various critical infrastructure entities, including electricity grid facilities in Northern India, Pakistani government agencies, a state bank, and a telecommunications provider.

ShadowPad’s design as a successor to Korplug/PlugX, another popular strain used by certain Chinese espionage groups, has further complicated attribution, as it briefly appeared on underground forums. This makes it challenging for researchers to attribute all instances of its use directly to China-based actors.

Why does it matter?

According to Dick O’Brien, principal intelligence analyst with the Symantec Threat Hunter team, one of the most concerning aspects of this cyber incident is the growing audacity of hackers to target critical national infrastructure (CNI) with malware. This alarming trend aligns with warnings issued by the governments of the USA, UK, Australia, Canada, and New Zealand in May, considering the potential for attackers to disrupt power supplies and essential services during periods of heightened political tension. The warnings followed a report from Microsoft highlighting the activities of Volt Typhoon, a China-based hacking group that had compromised critical infrastructure organisations in the USA.