Share this article on:
Security researchers have identified an espionage campaign against critical energy infrastructure in an unnamed Asian country.
Dubbed Redfly by Symantec’s threat intelligence team, the threat actor uses a number of techniques that link it to Chinese-sanctioned APT41 – also known as Red Echo, Brass Typhoon, Wicked Panda, and Winnti.
The first activity was observed on 28 February 2023, with activity on the energy grid extending into August.
The hackers used a common remote access Trojan called ShadowPad, which was sold for a short time to a small group of legitimate buyers but has since been sold on various hacking forums. In this instance, it was a variant of the original using the domain websencl[.]com to run its command and control infrastructure.
ShadowPad copies itself into two locations on a machine’s drive and looks like a VMware file, thus hiding its true nature. It also creates a service to run when the machine boots up to maintain persistence.
Redfly remained on the network quietly until May, when a second program was run that could execute shellcode. Within days, more activity was noted, and the hackers began to gather data.
Later in the same month, the threat actor achieved lateral movement in the network, and a keylogger was installed.
The activity appears to have ceased on 3 August, when Redfly attempted to dump credentials from the compromised machine.
According to Symantec, while attacks against critical infrastructure are nothing new, the current frequency is a “source of concern”.
“Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension,” Symantec said in a blog post.
“While Symantec has not seen any disruptive activity by Redfly, the fact that such attacks have occurred in other regions means they are not outside the bounds of possibility.”
APT31, which Redfly appears to be linked to, is not unknown to US law enforcement. In September, the US government charged seven men over the group’s hacking activities and arrested two who were operating out of Malaysia.
The other five remain at large in China.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.