A recent cyber attack on a national power grid in an undisclosed Asian country has raised concerns about the vulnerability of critical infrastructure. The attack was carried out by a Chinese threat actor known as the Winnti Group or APT41, Bronze Atlas, which has a history of conducting high-level cyber espionage on behalf of the People’s Republic of China (PRC).
The attack, which lasted for six months, was orchestrated by a subsect within the Winnti Group called “Redfly” or “Red Echo”. They successfully breached the network of an Asian electricity provider using a remote access Trojan (RAT) called ShadowPad to steal sensitive data and obtain privileged information.
Security experts are concerned about the implications of this attack on critical infrastructure. Dick O’Brien, the principal intelligence analyst for the Symantec threat hunter team, warns that organizations often ignore warnings until something catastrophic happens. He believes that while such worst-case scenarios are rare, they do occur from time to time.
Researchers from Symantec were able to trace the campaign back to February 28 when ShadowPad was deployed on a single computer within the target network. ShadowPad, a modular backdoor in shellcode format, has been associated with Chinese state-sponsored attacks. In this campaign, the attackers used a variant of ShadowPad that disguised itself as VMWare files and directories to copy itself onto the disk.
Over the course of the next few months, Redfly continued its attack, performing DLL sideloading, using Powershell to gather information, dumping credentials, and spreading malware to other machines in the network. On their final day of activity, Redfly attempted to dump credentials from the Windows registry.
This attack is not an isolated incident. Another Chinese advanced persistent threat (APT) group called Volt Typhoon was recently discovered compromising US critical infrastructure organizations. The fact that multiple Chinese APTs are targeting critical infrastructure raises concerns about the nation’s espionage capabilities in this space. While Russia’s destructive attacks receive more attention, China’s espionage campaigns are equally prevalent in critical industries.
Researchers from Symantec have been monitoring various subgroups within the Winnti Group, including Blackfly, Greyfly, and Redfly. Redfly, also known as Red Echo, focuses exclusively on national critical infrastructure attacks. This latest attack on the Asian power grid is not their first, as they previously targeted the Indian power sector two years ago.
The motivation behind China’s interest in critical industries remains unclear. It could be related to political tensions, energy market trends, or intellectual property theft, but experts can only speculate. However, the United States and some other Western countries are well aware of the threat and are taking steps to protect their critical infrastructure. Other countries can learn from their approach and take measures to strengthen their defenses.
Overall, this recent cyber attack on a national power grid highlights the continued vulnerability of critical infrastructure. Organizations, governments, and cybersecurity experts must remain vigilant and proactive in safeguarding these essential systems from future attacks. The stakes are high, and the potential impacts of a successful attack on critical infrastructure cannot be underestimated.