A national grid in an undisclosed Asian country was compromised for up to six months earlier this year, a study says. Evidence suggests a threat actor was using Chinese-linked malware called ShadowPad Trojan.
According to the report by cybersecurity firm Symantec, the threat group, which it dubbed Redfly, managed to steal credentials and compromise multiple computers in the targeted country’s power grid network.
The ShadowPad is an advanced modular remote access trojan (RAT) and has been deployed many times by Chinese threat groups since 2019. It was likely developed by threat actors affiliated with government-sponsored group Bronze Atlas, according to another cybersecurity firm Secureworks.
Symantec’s report warns that “espionage actors” are continuing to target critical national infrastructure (CNI), a trend that it says has become a “source of concern” for governments worldwide.
ShadowPad Trojan was sold on underground forums for a brief while, but reportedly only a handful of buyers secured it before it was apparently pulled. The malware has since been linked to espionage actors, says Symantec.
Symantec said it identified tools and infrastructure used in the recent campaign that had been used in previous attacks attributed to a cluster of “APT41 activity” – the analyst’s umbrella term for Brass Typhoon, Wicked Panda, Winnti, and Red Echo, which it describes as being distinct groups.
APT41 has been linked to intellectual property theft and financially motivated cybercrimes, while the US government has charged seven men over hundreds of assaults on organizations on its soil as well as in countries in Asia and Europe.
Specialist threat group
Symantec says Redfly appears to exclusively focus on targeting critical infrastructure.
“A distinct variant of the ShadowPad Trojan was used in this attack,” it added. “It utilized the domain websencl[.]com for command-and-control (C&C) purposes. It copied itself to disk, masquerading as VMware files and directories to mask its purpose.”
The threat actors mounted cyberattacks by creating a service with the name VMware Snapshot Provider Service, which boots with Windows.
The toolkit they use includes shellcode that allows them to deliver and execute arbitrary files or commands on an infected computer, and software that enables remote tracking of keystrokes, known as a keylogger.
The first recorded incident in the affected Asian country’s power network dates from February 28th, when ShadowPad was executed on a single computer.
A follow-up attack on May 17th suggests that the group had maintained a presence within the targeted system.
Malicious activities continued with breaks, with the final incident occurring on August 3rd, when the attackers returned and attempted to dump credentials.
It could get worse
While disruptive activity was not seen, more aggressive attacks are not beyond the realms of possibility, as they have occurred in other regions before: for instance, ShadowPad has been observed targeting facilities in India.
“The frequency with which critical national infrastructure organizations are being attacked appears to have increased over the past year and is now a source of concern,” said Symantec.
“Threat actors maintaining a long-term, persistent presence on a national grid present a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension,” it added.
Global authorities have already highlighted a cluster of activity associated with a China-sponsored nation-state actor, known as Volt Typhoon. This campaign affected US critical infrastructure, with cybersecurity agencies asserting the group could apply the same techniques worldwide across a variety of sectors.
More from Cybernews:
Subscribe to our newsletter