Espionage actors have increased their assaults on critical national infrastructure (CNI) targets, raising alarms among governments and CNI organisations worldwide.
Symantec’s Threat Hunter Team recently uncovered evidence of a threat actor group named Redfly using the ShadowPad Trojan to compromise a national grid in an unnamed Asian country, maintaining access for up to six months earlier this year. The attackers successfully stole credentials and compromised numerous computers within the organisation’s network.
This incident is the latest in a series of espionage intrusions targeting CNI entities. In May 2023, the U.S., UK, Australia, Canada, and New Zealand governments jointly issued an alert regarding actors targeting CNI organisations in the U.S.
ShadowPad, a modular remote access trojan (RAT), is the primary tool in this attack. Originally designed as a successor to the Korplug/PlugX Trojan, ShadowPad was briefly available in underground forums before being closely associated with espionage actors.
While ShadowPad is known to be utilised by various advanced persistent threat (APT) actors, the tools and infrastructure used in this recent campaign overlap with previously reported attacks attributed to APT41 activity, also known as Brass Typhoon, Wicked Panda, Winnti, and Red Echo.
Symantec has tracked this group under names such as Blackfly and Grayfly, revealing links between these entities. The current campaign, targeting critical national infrastructure, is being tracked under a group called Redfly, which appears to focus on CNI targets.
The group used three main tools to carry on the attack:
- ShadowPad: It utilised the domain websencl.com for command-and-control purposes and concealed itself in VMare-related directories to evade detection.
- Packerloader: A tool used to load and execute shellcode, was utilized. It enables attackers to deliver and execute arbitrary files or commands on infected computers.
- Keylogger: The attackers also deployed a keylogger under various filenames on different computers, including winlogon.exe and hphelper.exe. The keylogger stored captured keystrokes in the %SYSTEMROOT%\Intel\record.log location.
The intrusion was first detected on February 28, 2023, when ShadowPad was executed on a single computer. The attackers maintained their presence over the next three months, executing ShadowPad again on May 17, 2023.
On May 16, a suspicious Windows batch file (1.bat) was executed, followed by PackerLoader. Permissions were then modified for a driver file called dump_diskfs.sys.
On May 19, the attackers returned, running PackerLoader and 1.bat, executing displayswitch.exe, and attempting to gather information on storage devices. Similar activities occurred on other occasions throughout May. In July, a keylogger (winlogon.exe) was installed on a machine, and the attackers attempted to dump credentials again in August.
Attacks on CNI targets, although not new, have garnered increased attention. Last year, Russians attacked Ukrainian energy grids. China was also caught targeting seven Indian power grid assets in Ladakh.
In the News: GitHub vulnerability exposed 4,000 repositories to Repojacking
