A threat actor named Redfly has been linked to the compromise of a National Grid located in an undisclosed Asian country for six months earlier this year using known malware called ShadowPad.
“The attackers managed to steal credentials and compromise multiple computers on the organization’s network,” the Symantec Threat Hunter team, part of Broadcom, said in a report shared. “This attack is the latest in a series of espionage intrusions against [critical national infrastructure] targets.”
Shadowpad, also known as PoisonPlug, is the follow-up to the PlugX remote access trojan and is a modular implant capable of dynamically loading additional plugins from remote servers as needed to collect sensitive data from breached networks.
It has been widely used by a growing list of China-nexus nation-state groups in attacks on organizations across various industry sectors since at least 2019.
“ShadowPad is decrypted in memory using a custom decryption algorithm,” Secureworks Counter Threat Unit (CTU) noted in February 2022. “ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality.”
The earliest sign of an attack targeting the Asian entity is said to have been recorded on February 23, 2023, when ShadowPad was executed on a single computer, followed by running the backdoor three months later on May 17.
Also deployed around the same time was a tool called Packerloader that’s used to execute arbitrary shellcode, using it to modify permissions for a driver file known as dump_diskfs.sys to grant access to all users, raising the possibility that the driver may have been used to create file system dumps for later exfiltration.
Threat actors have been observed running PowerShell commands to gather information about storage devices connected to the system, dumping credentials from the Windows registry, as well as clearing security event logs from the machine.
“On May 29, the attackers returned and used a modified version of procdump (filename: alg.exe) to dump credentials from LSASS,” Symantec said. “On May 31, a scheduled task was used to execute oleview.exe, most likely causing side-loading and lateral movement.”
It is suspected that Redfly used the stolen credentials to spread the infection to other machines within the network. After a gap of about two months, the adversary returned to install the keylogger on July 27 and obtained the credentials from LSASS and the registry once again on August 3.
Symantec said the campaign shares infrastructure and tooling overlaps with previously identified activity attributed to the Chinese state-sponsored group referred to as APT41 (aka Winnti), with Redly almost exclusively focusing on targeting critical infrastructure entities.
However, there is no evidence that the hacking organization has conducted any disruptive attacks to date.
“Threat actors maintaining a long-term, persistent presence on the national grid pose a clear risk of attacks designed to disrupt power supplies and other critical services in other states during times of heightened political tension,” the company said.
The development comes as Microsoft revealed that China-affiliated actors are honing in on AI-generated visual media for use in influence operations targeting the U.S. as well as “conducting intelligence collection and malware execution against regional governments and industries” in the South China Sea region since the start of the year.
“Raspberry Typhoon persistently targets government ministries, military entities, and corporate entities involved in critical infrastructure, especially telecommunications,” the tech giant said. “Since January 2023, Raspberry Typhoon has been particularly persistent.”
Other targets include the US defense industrial base (Circle Typhoon, Volt Typhoon and Mulberry Typhoon), US critical infrastructure, government entities in Europe and the US (Storm-0558), and Taiwan (Flax Typhoon and Charcoal Typhoon).