Chinese APT41 Implicated in Asian National Power Grid HackSymantec Finds APT41 Fingerprint in a ShadowPad Trojan Attack on Asian Power Grid
Cybersecurity researchers at Symantec said hackers with possible ties to the Chinese government used the ShadowPad Trojan to target an Asian country's national power grid earlier this year.
Symantec said the China-linked Redfly APT group, which exclusively focuses on targeting critical national infrastructure, maintained persistence inside the unnamed power grid network for up to six months, stealing credentials and compromising multiple computers.
Redfly's choice of tools and infrastructure in this campaign overlapped with similar campaigns conducted by Chinese espionage group APT41 in recent years. APT41, also tracked as Barium, Earth Baku and Winnti, recently targeted four regional dispatch centers responsible for operating India's power grid shortly after India and China engaged in border disputes.
In 2021, APT41 exploited a zero-day vulnerability in the USAHerds application to compromise at least six U.S. state government networks.
Symantec's Threat Hunter Team said Redfly in its latest campaign had used a unique variant of the ShadowPad Trojan to establish persistence in the targeted network. The variant used a web domain for command and control and masqueraded as VMware files and directories when copying itself to the disk.
The ShadowPad Trojan has been used exclusively by Chinese espionage groups in recent years to target organizations of interest in foreign countries. SecureWorks said it believes the malware Trojan's operators are associated with the Chinese Ministry of State Security and the People's Liberation Army.
The Redfly group in its latest campaign also used a tool called Packerloader to load and execute shell code that allowed the group to deliver and execute arbitrary files or commands. The group also used ShadowPad to install a keylogger, which it hid inside infected systems under various file names such as
The ability to maintain "a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension," Symantec said.
The Redfly group only focused on stealing credentials, gaining access to computers connected to the infected network and keylogging. Symantec said that the group chose not to disrupt operations, but it could choose to do so in the future.