Security researchers have revealed a new cyber-espionage campaign in which a threat group compromised multiple computers used to run a national power grid in an unnamed Asian country.
The threat group identified by Symantec as “Redfly” is not attributed to any nation, but two related groups – Blackfly and Greyfly – have been linked closely with China in previous reports.
Redfly used a bespoke version of popular modular remote access Trojan (RAT) ShadowPad, another favorite of Chinese APT groups. The RAT copied itself to disk in several locations, masquerading as VMware files and directories to stay hidden, Symantec said.
Another tool, Packloader, was used to load and execute shellcode, and a keylogger was installed under various names including winlogon.exe and hphelper.exe.
Read more on CNI attacks: NCSC Warns of Destructive Russian Attacks on Critical Infrastructure
The first ShadowPad intrusion was discovered on February 28, with the RAT executed again on May 17.
“On May 31, a scheduled task is used to execute oleview.exe, mostly likely to perform side-loading and lateral movement. Use of Oleview by ShadowPad has been previously documented by Dell Secureworks and was also reported to have been used in attacks against industrial control systems,” Symantec continued.
“The command specified that Oleview was to be executed on a remote machine using the task name (TendView) at 07:30 a.m. It appears the attackers likely used stolen credentials in order to spread their malware onto other machines within the network.”
Although the threat group doesn’t appear to have engaged in active destruction or disruption of the target’s operations, its ability to compromise such a key piece of critical infrastructure (CNI) will alarm some.
It’s illustrative of the growing threat to CNI from state actors. The Five Eyes nations issued a joint alert back in May about Beijing-backed threat actors dubbed “Volt Typhoon” targeting CNI networks in the US.
“Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed disrupt power supplies and other vital services in other states during times of increased political tension,” Symantec concluded.
“While Symantec has not seen any disruptive activity by Redfly, the fact that such attacks have occurred in other regions means they are not outside the bounds of possibility.”