Wednesday, April 30, 2025
HomeCyber Security NewsChinese Redfly Hacked National Power Grid & Maintained Access for 6 Months

Chinese Redfly Hacked National Power Grid & Maintained Access for 6 Months

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers at Symantec’s Threat Hunter Team recently discovered that the Redfly threat actor group used ShadowPad Trojan to breach an Asian national grid for 6 months.

Artificial intelligence-driven cyber threats grow as technology advances, significantly influencing and boosting threat actor sophistication.

Persistent espionage attacks by threat actors on critical national infrastructure (CNI) raise global concerns among governments and CNI entities.

- Advertisement - Google News

In this security breach, the threat actors successfully stole the credentials and compromised computers.

The latest attack is part of the ongoing global CNI espionage wave, with the following countries on high alert after the Volt Typhoon’s U.S. infiltration:-

  • The U.S.
  • The UK
  • Australia
  • Canada
  • New Zealand

ShadowPad is initially a modular, short-lived underground RAT, now tied to espionage groups like APT41. Recent power grid attacks linked to Redfly, distinct from Blackfly and Grayfly.

Tools used

Here below, we have mentioned all the tools that the threat actors use in these attacks:-

Document
Get a Demo

Start protecting your SaaS data in just a few minutes!

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

Technical analysis

Initial intrusion on February 28, 2023, followed by ShadowPad execution on May 17, confirming attackers’ presence. A suspicious 1.bat file ran on May 16, leading to PackerLoader execution in the %TEMP% directory.

Next, all-user access is granted to dump_diskfs.sys driver, potentially for file system dumps and exfiltration. From the following Windows registry, the credentials were dumped:-

  • reg save HKLM\SYSTEM system.save
  • reg save HKLM\SAM sam.sav
  • reg save HKLM\SECURITY security.save

On May 19, attackers returned, running PackerLoader and 1.bat, then with the help of a sneaky “displayswitch.exe” file, Redfly launched their malicious payload. 

While besides this, they later used PowerShell to spy on the writable drives. Apart from this, the displayswitch.exe was triggered in %TEMP% on May 26 and swiftly dumped the registry credentials and erased the security logs.

Next, the attackers used ProcDump on May 29 and Oleview on May 31 for malicious activities and possibly leveraged the stolen credentials for lateral movement.

Over the past year, threat actors have actively targeted and attacked the CNI organizations. Even their attack frequency has also significantly increased, which is now a concerning factor.

Threat actors maintaining a long-term presence on grids pose the risk of disruptive attacks in nation-states during political tension.

IOCs

IOCs (Source – Symantec)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...