Persistent Espionage Attacks on National Infrastructure Raising Alarm

ShadowPad Trojan

The sustained attempts of espionage actors compromising Critical National Infrastructure (CNI) have been ringing alarm bells for governments and infrastructure organizations globally. One of the most recent attacks was orchestrated by a threat actor group known as Redfly, as revealed by Symantec’s Threat Hunter Team.

In a detailed expose, Symantec pointed out that Redfly employed the ShadowPad Trojan to infiltrate a national power grid in Asia. The intrusion lasted a shocking six months, during which the attackers successfully pilfered credentials and compromised several computers within the grid’s network. This is just one in a series of espionage attacks against CNIs. In May 2023, multiple Western governments flagged potential threats against their CNIs.

ShadowPad is a modular remote access Trojan (RAT) seen as the successor to the Korplug/PlugX Trojan. Initially available in underground forums, its usage has since been primarily limited to espionage activities. There’s a link between ShadowPad and advanced persistent threat (APT) groups like APT41, Brass Typhoon, and Wicked Panda. Symantec identifies the activities of this campaign under the Redfly umbrella, which seems to focus solely on CNI targets.

Redfly’s Arsenal of Tools

  • – ShadowPad: A distinct variant of this Trojan was used, hiding under the guise of VMware files and directories. It used websencl[.]com for command-and-control. To remain persistent, it configured a service to start with Windows.
  • – Packerloader: This tool aids in loading and executing encrypted shellcode, with mechanisms to retrieve decryption keys from specific registry locations.
  • – Keylogger: Redfly employed keyloggers, hiding them under various filenames, to capture keystrokes for potential intelligence.

The breach commenced on February 28, 2023, with the ShadowPad Trojan being introduced into the network. The attackers returned in May and began a series of malicious activities, ranging from executing suspicious files, modifying permissions, and dumping credentials, to leveraging legitimate binaries for DLL side-loading. The attack was extensive and prolonged, with the attackers revisiting their intrusion multiple times until early August.

Symantec’s revelation about attacks on CNIs resonates with past discoveries. Almost a decade ago, the Russian-backed Dragonfly group targeted energy sectors in the U.S. and Europe. The Russian Sandworm group, more recently, disrupted the electricity distribution network in Ukraine. The frequency of such attacks on CNIs has seen an alarming surge in recent times. The implication is grave – threat actors can potentially disrupt power supplies and other essential services during politically charged times. While no disruptive activities by Redfly have been reported yet, the potential of such events remains concerning.

In conclusion, as the technological landscape evolves, so does the sophistication of cyber-attacks. The persistent and targeted efforts of groups like Redfly serve as a stark reminder that safeguarding national infrastructures is paramount in today’s digital age.