Power grid of Asian nation shows signs of intrusion by espionage group

Hackers attacked the national power grid of an unspecified Asian country earlier this year using malware typically deployed by personnel connected to China’s government, researchers said Tuesday.

Cybersecurity company Symantec declined to attribute the incident to China but pointed to a group it tracks as RedFly. The group compromised the network for as long as six months, stealing credentials and targeting multiple computers, the researchers said.

The malware, known as ShadowPad, also has been linked to hacking group APT41, which researchers have connected to China's Ministry of State Security and the People's Liberation Army. ShadowPad first emerged in 2017, and in recent years several China-linked groups have used it for cyber-espionage purposes.

The first evidence of the attack appeared on February 28, when the hackers used ShadowPad on a single computer, Symantec said. The researchers said the malware appeared in the network again on May 17 — evidence that the hackers had maintained access to the system for more than three months.

Over the next week, the hackers took several steps to expand their access to storage devices, gather system credentials and cover their tracks. The group used a legitimate Windows application – oleview.exe – to gain a better understanding of the victim’s network and move laterally.

“Use of Oleview by ShadowPad has been previously documented by Dell Secureworks and was also reported to have been used in attacks against industrial control systems. The command specified that Oleview was to be executed on a remote machine using the task name at 07:30 a.m. It appears the attackers likely used stolen credentials in order to spread their malware onto other machines within the network,” the researchers said.

“Malicious activity appeared to cease until July 27, when a keylogger was installed on a machine. The final evidence of malicious activity came on August 3, when the attackers returned and attempted to dump credentials again using a renamed version of ProcDump.”

Eyes on CNI

Dick O’Brien, principal intelligence analyst with the Symantec Threat Hunter team, told Recorded Future News that what was most alarming is the increasing willingness of hackers to target critical national infrastructure (CNI) with malware.

Symantec noted that in May, the governments of the U.S., U.K., Australia, Canada and New Zealand warned of attacks targeting CNI following a report from Microsoft about the activities of Volt Typhoon, a China-based hacking group that compromised critical infrastructure organizations in the U.S.

Over the last decade, Symantec has also tracked attacks on CNI by Russian actors, who targeted systems in the U.S., Europe and most recently in Ukraine.

"Attacks against CNI targets are always a source of concern because of the serious disruption they could cause if the attackers use their access to perform acts of sabotage. But what makes this particularly noteworthy is the context,” he said.

“This isn't an isolated attack and seems to be part of a general trend towards targeting CNI."

The experts warned that the frequency of attacks on CNI organizations is increasing over the past year and is “now a source of concern.” Hackers that are “maintaining a long-term, persistent presence on a national grid present a clear risk of attacks designed disrupt power supplies and other vital services in other states during times of increased political tension.”

Symantec said it has not seen disruptive offensive actions taken by Redfly but noted that “such attacks have occurred in other regions means they are not outside the bounds of possibility.”

The use of ShadowPad has been seen in cyberattacks targeting seven facilities managing the electricity grid in Northern India as well as Pakistani government agencies, a state bank and a telecommunications provider. Critical industries in Afghanistan and Malaysia; Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan; and countries across Europe have also been targeted with the ShadowPad malware and other malicious tools.

The malware was designed as a successor to Korplug/PlugX — a popular strain still used by some Chinese espionage groups. It was sold briefly on underground forums, making it difficult for researchers to attribute all of its use directly to China-based actors.