A threat actor known as RedFly has compromised the network of an unnamed national electricity grid organization in Asia and had been quietly present in the victim network for six months, according to a new report from Symantec researchers.
The espionage group used the ShadowPad remote access trojan to compromise the target organization and steal credentials. While this RAT is a publicly available tool known to be used by multiple threat actors, the recent campaign leveraged tools and infrastructure previously linked to a cluster of APT41 activity (aka Brass Typhoon, Wicked Panda, Winnti, and Red Echo). Symantec tracks this recent activity as RedFly.
The first evidence of intrusion dates back to February 28, 2023, when ShadowPad was executed on a single computer. The malware was executed again in May, which suggests that the attackers maintained access to the network for three months.
The threat actor used a number of tools in the attack, including a keylogger that captured strokes in the log files in the hacked system, an espionage tool called Packerloader used to execute code that modified a driver file's permissions, as well as for creating credential dumps in the Windows registry and wiping Windows security event logs.
The attackers have also been observed utilizing PowerShell to run commands to collect information about specific storage devices on the compromised system.
“The frequency at which CNI organizations are being attacked appears to have increased over the past year and is now a source of concern. Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension. While Symantec has not seen any disruptive activity by Redfly, the fact that such attacks have occurred in other regions means they are not outside the bounds of possibility,” the researchers warned.