Chinese Redfly Group Compromised a Nation's Critical Grid in 6-Month ShadowPad Campaign
12.9.23 BigBrothers The Hacker News
A threat actor called Redfly has been linked to a compromise of a national grid located in an unnamed Asian country for as long as six months earlier this year using a known malware referred to as ShadowPad.
"The attackers managed to steal credentials and compromise multiple computers on the organization's network," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. "The attack is the latest in a series of espionage intrusions against [critical national infrastructure] targets."
ShadowPad, also known as PoisonPlug, is a follow-up to the PlugX remote access trojan and is a modular implant capable of loading additional plugins dynamically from a remote server as required to harvest sensitive data from breached networks.
It has been widely used by a growing list of China-nexus nation-state groups since at least 2019 in attacks aimed at organizations in various industry verticals.
"ShadowPad is decrypted in memory using a custom decryption algorithm," Secureworks Counter Threat Unit (CTU) noted in February 2022. "ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality."
The earliest sign of an attack targeting the Asian entity is said to have been recorded on February 23, 2023, when ShadowPad was executed on a single computer, followed by running the backdoor three months later on May 17.
Also deployed around the same time was a tool called Packerloader that's used to execute arbitrary shellcode, using it to modify permissions for a driver file known as dump_diskfs.sys to grant access to all users, raising the possibility that the driver may have been used to create file system dumps for later exfiltration.
The threat actors have further been observed running PowerShell commands to gather information on the storage devices attached to the system, dump credentials from Windows Registry, while simultaneously clearing security event logs from the machine.
"On May 29, the attackers returned and used a renamed version of ProcDump (file name: alg.exe) to dump credentials from LSASS," Symantec said. "On May 31, a scheduled task is used to execute oleview.exe, mostly likely to perform side-loading and lateral movement."
It's suspected that Redfly used stolen credentials in order to propagate the infection to other machines within the network. After nearly a two-month hiatus, the adversary reappeared on the scene to install a keylogger on July 27 and once again extract credentials from LSASS and the Registry on August 3.
Symantec said the campaign shares infrastructure and tooling overlaps with previously identified activity attributed to the Chinese state-sponsored group referred to as APT41 (aka Winnti), with Redly almost exclusively focusing on targeting critical infrastructure entities.
However, there is no evidence that the hacking outfit has staged any disruptive attacks to date.
"Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in other states during times of increased political tension," the company said.
The development comes as Microsoft revealed that China-affiliated actors are honing in on AI-generated visual media for use in influence operations targeting the U.S. as well as "conducting intelligence collection and malware execution against regional governments and industries" in the South China Sea region since the start of the year.
"Raspberry Typhoon [formerly Radium] consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms," the tech giant said. "Since January 2023, Raspberry Typhoon has been particularly persistent."
Other targets include the U.S. defense industrial base (Circle Typhoon / DEV-0322, Mulberry Typhoon / Manganese, and Volt Typhoon / DEV-0391), U.S. critical infrastructure, government entities in Europe and the U.S. (Storm-0558), and Taiwan (Charcoal Typhoon / Chromium and Flax Typhoon / Storm-0919).
It also follows a report from the Atlantic Council that a Chinese law requiring companies operating in the country to disclose security flaws in their products to the Ministry of Industry and Information Technology (MIIT) allows the country to stockpile the vulnerabilities and help state hackers "increase operational tempo, success, and scope."