Wednesday, January 1, 2025
HomeCyber Security NewsChinese Redfly Hacked National Power Grid & Maintained Access for 6 Months

Chinese Redfly Hacked National Power Grid & Maintained Access for 6 Months

Published on

SIEM as a Service

Cybersecurity researchers at Symantec’s Threat Hunter Team recently discovered that the Redfly threat actor group used ShadowPad Trojan to breach an Asian national grid for 6 months.

Artificial intelligence-driven cyber threats grow as technology advances, significantly influencing and boosting threat actor sophistication.

Persistent espionage attacks by threat actors on critical national infrastructure (CNI) raise global concerns among governments and CNI entities.

- Advertisement - SIEM as a Service

In this security breach, the threat actors successfully stole the credentials and compromised computers.

The latest attack is part of the ongoing global CNI espionage wave, with the following countries on high alert after the Volt Typhoon’s U.S. infiltration:-

  • The U.S.
  • The UK
  • Australia
  • Canada
  • New Zealand

ShadowPad is initially a modular, short-lived underground RAT, now tied to espionage groups like APT41. Recent power grid attacks linked to Redfly, distinct from Blackfly and Grayfly.

Tools used

Here below, we have mentioned all the tools that the threat actors use in these attacks:-

Document
Get a Demo

Start protecting your SaaS data in just a few minutes!

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

Technical analysis

Initial intrusion on February 28, 2023, followed by ShadowPad execution on May 17, confirming attackers’ presence. A suspicious 1.bat file ran on May 16, leading to PackerLoader execution in the %TEMP% directory.

Next, all-user access is granted to dump_diskfs.sys driver, potentially for file system dumps and exfiltration. From the following Windows registry, the credentials were dumped:-

  • reg save HKLM\SYSTEM system.save
  • reg save HKLM\SAM sam.sav
  • reg save HKLM\SECURITY security.save

On May 19, attackers returned, running PackerLoader and 1.bat, then with the help of a sneaky “displayswitch.exe” file, Redfly launched their malicious payload. 

While besides this, they later used PowerShell to spy on the writable drives. Apart from this, the displayswitch.exe was triggered in %TEMP% on May 26 and swiftly dumped the registry credentials and erased the security logs.

Next, the attackers used ProcDump on May 29 and Oleview on May 31 for malicious activities and possibly leveraged the stolen credentials for lateral movement.

Over the past year, threat actors have actively targeted and attacked the CNI organizations. Even their attack frequency has also significantly increased, which is now a concerning factor.

Threat actors maintaining a long-term presence on grids pose the risk of disruptive attacks in nation-states during political tension.

IOCs

IOCs (Source – Symantec)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

CISA Warns of Palo Alto Networks PAN-OS Vulnerability Exploited in Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert on...

US Treasury Department Breach, Hackers Accessed Workstations

The Biden administration confirmed that a Chinese state-sponsored hacking group breached the U.S. Treasury...

TrueNAS CORE Vulnerability Let Attackers Execute Remote Code

Security researchers Daan Keuper, Thijs Alkemade, and Khaled Nassar from Computest Sector 7 disclosed...

New Botnet Exploiting D-Link Routers To Gain Control Remotely

Researchers observed a recent surge in activity from the "FICORA" and "CAPSAICIN," both variants...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

CISA Warns of Palo Alto Networks PAN-OS Vulnerability Exploited in Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert on...

US Treasury Department Breach, Hackers Accessed Workstations

The Biden administration confirmed that a Chinese state-sponsored hacking group breached the U.S. Treasury...

TrueNAS CORE Vulnerability Let Attackers Execute Remote Code

Security researchers Daan Keuper, Thijs Alkemade, and Khaled Nassar from Computest Sector 7 disclosed...