Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Chinese APT41 Implicated in Asian National Power Grid Hack

Symantec Finds APT41 Fingerprint in a ShadowPad Trojan Attack on Asian Power Grid
Chinese APT41 Implicated in Asian National Power Grid Hack
Cooling towers of Mejia Thermal Power Station in West Bengal, India (Image: Shutterstock)

Cybersecurity researchers at Symantec said hackers with possible ties to the Chinese government used the ShadowPad Trojan to target an Asian country's national power grid earlier this year.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge

Symantec said the China-linked Redfly APT group, which exclusively focuses on targeting critical national infrastructure, maintained persistence inside the unnamed power grid network for up to six months, stealing credentials and compromising multiple computers.

Redfly's choice of tools and infrastructure in this campaign overlapped with similar campaigns conducted by Chinese espionage group APT41 in recent years. APT41, also tracked as Barium, Earth Baku and Winnti, recently targeted four regional dispatch centers responsible for operating India's power grid shortly after India and China engaged in border disputes.

In 2021, APT41 exploited a zero-day vulnerability in the USAHerds application to compromise at least six U.S. state government networks.

Symantec's Threat Hunter Team said Redfly in its latest campaign had used a unique variant of the ShadowPad Trojan to establish persistence in the targeted network. The variant used a web domain for command and control and masqueraded as VMware files and directories when copying itself to the disk.

The ShadowPad Trojan has been used exclusively by Chinese espionage groups in recent years to target organizations of interest in foreign countries. SecureWorks said it believes the malware Trojan's operators are associated with the Chinese Ministry of State Security and the People's Liberation Army.

The Redfly group in its latest campaign also used a tool called Packerloader to load and execute shell code that allowed the group to deliver and execute arbitrary files or commands. The group also used ShadowPad to install a keylogger, which it hid inside infected systems under various file names such as winlogon.exe and hphelper.exe.

The ability to maintain "a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension," Symantec said.

The Redfly group only focused on stealing credentials, gaining access to computers connected to the infected network and keylogging. Symantec said that the group chose not to disrupt operations, but it could choose to do so in the future.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.