Hackers attacked the national power grid of an unspecified Asian country earlier this year using malware typically deployed by personnel connected to China’s government, researchers said last week. Cybersecurity company Symantec declined to attribute the incident to China but pointed to a group it tracks as RedFly. The group compromised the network for as long as six months, stealing credentials and targeting multiple computers, the researchers said.
The malware, known as ShadowPad, also has been linked to hacking group APT41, which researchers have connected to China's Ministry of State Security and the People's Liberation Army. ShadowPad first emerged in 2017, and in recent years several China-linked groups have used it for cyber-espionage purposes.
The first evidence of the attack appeared on 28 February, when the hackers used ShadowPad on a single computer, Symantec said. The researchers said the malware appeared in the network again on 17 May, evidence that the hackers had maintained access to the system for more than three months.
Over the following week, the hackers took several steps to expand their access to storage devices, gather system credentials and cover their tracks. The group used a legitimate Windows application – oleview.exe – to gain a better understanding of the victim’s network and move laterally. “Use of Oleview by ShadowPad has been previously documented by Dell Secureworks and was also reported to have been used in attacks against industrial control systems. The command specified that Oleview was to be executed on a remote machine using the task name at 7:30 AM. It appears the attackers likely used stolen credentials to spread their malware onto other machines within the network,” the researchers said. “Malicious activity appeared to cease until 27 July, when a keylogger was installed on a machine. The final evidence of malicious activity came on 3 August, when the attackers returned and attempted to dump credentials again using a renamed version of ProcDump.”
Eyes on CNI: the Symantec Threat Hunter team, told Recorded Future News that what was most alarming is the increasing willingness of hackers to target critical national infrastructure (CNI) with malware. Symantec noted that in May, the governments of the US, UK, Australia, Canada and New Zealand warned of attacks targeting CNI following a report from Microsoft about the activities of Volt Typhoon, a China-based hacking group that compromised critical infrastructure organizations in the US. Over the last decade, Symantec has also tracked attacks on CNI by Russian actors, who targeted systems in the US, Europe and most recently in Ukraine. "Attacks against CNI targets are always a source of concern because of the serious disruption they could cause if the attackers use their access to perform acts of sabotage. But what makes this particularly noteworthy is the context,” it said. “This isn't an isolated attack and seems to be part of a general trend towards targeting CNI."
The experts warned that the frequency of attacks on CNI organizations is increasing over the past year and is “now a source of concern.” Hackers that are “maintaining a long-term, persistent presence on a national grid present a clear risk of attacks designed disrupt power supplies and other vital services in other states during times of increased political tension.”
Symantec said it has not seen disruptive offensive actions taken by Redfly but noted that “such attacks have occurred in other regions means they are not outside the bounds of possibility.”
The use of ShadowPad has been seen in cyberattacks targeting seven facilities managing the electricity grid in Northern India as well as Pakistani government agencies, a state bank and a telecommunications provider. Critical industries in Afghanistan and Malaysia; Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan; and countries across Europe have also been targeted with the ShadowPad malware and other malicious tools.
The malware was designed as a successor to Korplug/PlugX — a popular strain still used by some Chinese espionage groups. It was sold briefly on underground forums, making it difficult for researchers to attribute all of its use directly to China-based actors.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings