Redfly espionage hackers continue to strike critical infrastructure, as Asian national grid compromised
September 13, 2023 – Published on Industrial Cyber
Researchers have revealed that Redfly espionage hackers are continuing to attack critical national infrastructure (CNI) targets, raising concerns for governments and CNI organizations worldwide. Symantec’s Threat Hunter Team found evidence that Redfly used the ShadowPad trojan to compromise a national grid in an Asian country for six months earlier this year. The attackers managed to steal credentials and compromise multiple computers on the organization’s network.
“ShadowPad is a modular remote access trojan (RAT) that was designed as a successor to the Korplug/PlugX trojan, and was, for a period of time, sold in underground forums,” the security team wrote in a Tuesday blog post. “However, despite its origins as a publicly available tool, it was only sold publicly for a very short time reportedly to a handful of buyers. It has since been closely linked to espionage actors.”
The researchers added that while ShadowPad is known to be used by multiple advanced persistent threat (APT) actors, identified tools and infrastructure used in the recent campaign targeting a national power grid overlaps with previously reported attacks attributed to a cluster of APT41 activity (aka Brass Typhoon, Wicked Panda, Winnti, and Red Echo).
Commenting on the Symantec post, Christopher Warner, senior security consultant GRC-OT at GuidePoint Security, told Industrial Cyber that this disclosure and several others underscore the upward trend in critical infrastructure attacks. “The primary reason behind this alarming trend is the inherent vulnerability or ‘soft target’ of these critical systems. Operational technology (OT) is often more susceptible to hacking than IT systems, and the potential consequences are far more severe, including disruptions to power, water utilities, hospitals, first responders, and critical manufacturing processes,” he added.
“The complexity of OT systems is compounded by the importance of human safety and uninterrupted operation (minimal downtime). These attacks can be attributed to a combination of factors,” Warner highlighted. “Firstly, critical infrastructure systems are considered soft targets due to their relative ease of exploitation. Secondly, many organizations do not give cybersecurity the attention it deserves, further exacerbating the risks. Additionally, the shortage of qualified personnel with the necessary skill sets challenges the situation.”