Redfly espionage hackers continue to strike critical infrastructure, as Asian national grid compromised

Symantec researchers have revealed that Redfly espionage hackers are continuing to attack critical national infrastructure (CNI) targets, raising concerns for governments and CNI organizations worldwide. Symantec’s Threat Hunter Team found evidence that Redfly used the ShadowPad trojan to compromise a national grid in an Asian country for six months earlier this year. The attackers managed to steal credentials and compromise multiple computers on the organization’s network. 

“ShadowPad is a modular remote access trojan (RAT) that was designed as a successor to the Korplug/PlugX trojan, and was, for a period of time, sold in underground forums,” the security team wrote in a Tuesday blog post. “However, despite its origins as a publicly available tool, it was only sold publicly for a very short time reportedly to a handful of buyers. It has since been closely linked to espionage actors.” 

The researchers added that while ShadowPad is known to be used by multiple advanced persistent threat (APT) actors, identified tools and infrastructure used in the recent campaign targeting a national power grid overlaps with previously reported attacks attributed to a cluster of APT41 activity (aka Brass Typhoon, Wicked Panda, Winnti, and Red Echo). 

“Symantec tracks this group under as multiple distinct actors such as Blackfly and Grayfly,” the post disclosed. “The activities identified in this campaign are currently being tracked under a separate group that Symantec has dubbed Redfly, which appears to exclusively focus on targeting CNI.”

Commenting on the Symantec post, Christopher Warner, senior security consultant GRC-OT at GuidePoint Security, told Industrial Cyber that this disclosure and several others underscore the upward trend in critical infrastructure attacks. “The primary reason behind this alarming trend is the inherent vulnerability or ‘soft target’ of these critical systems. Operational technology (OT) is often more susceptible to hacking than IT systems, and the potential consequences are far more severe, including disruptions to power, water utilities, hospitals, first responders, and critical manufacturing processes,” he added.

“The complexity of OT systems is compounded by the importance of human safety and uninterrupted operation (minimal downtime). These attacks can be attributed to a combination of factors,” Warner highlighted. “Firstly, critical infrastructure systems are considered soft targets due to their relative ease of exploitation. Secondly, many organizations do not give cybersecurity the attention it deserves, further exacerbating the risks. Additionally, the shortage of qualified personnel with the necessary skill sets challenges the situation.”

Warner also flagged that the rise in critical infrastructure attacks results from the convergence of vulnerabilities in OT systems, inadequate cybersecurity measures, and a shortage of skilled professionals in the workforce.

The Symantec post pointed out that the frequency at which CNI organizations are being attacked appears to have increased over the past year and is now a source of concern. “Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension. While Symantec has not seen any disruptive activity by Redfly, the fact that such attacks have occurred in other regions means they are not outside the bounds of possibility.”

The Symantec researchers detailed that the Redfly attack is the latest in a series of espionage intrusions against CNI targets. “The first evidence of intrusion on the targeted network dated from February 28, 2023, when ShadowPad was executed on a single computer. It was executed again on May 17 2023, suggesting that the attackers had maintained a presence in the intervening three months,” they added.

The post said that a day earlier (May 16), a suspicious Windows batch file (file name: 1[dot]bat) was executed. Shortly afterwards, PackerLoader was executed via ‘rundll32’ from the ‘%TEMP%’ directory with some command-line arguments. “Immediately afterwards, permissions were modified for a driver file called dump_diskfs[dot]sys to grant access to all users. It is possible the attackers used this driver to create dumps of the file system for later exfiltration. Four minutes later, credentials were dumped from the Windows registry,” the post disclosed. 

“On May 19, the attackers returned, running PackerLoader and the 1[dot]bat batch file again. Shortly afterwards, a legitimate binary named displayswitch[dot]exe was executed. It was likely being used to perform DLL side-loading,” Symantec said. “This involves the attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application (having installed it themselves). The legitimate application then loads and executes the payload.”

The researchers identified that several hours later a suspicious PowerShell command was executed and used to gather information on the storage devices attached to the system. Specifically it was designed to look for DriveType=3 (Read/Write Supported) and gather details on available space. Several hours later, a similar ‘set of activity’ occurred again. 

“On May 26, displayswitch[dot]exe was executed from the %TEMP% directory via the command prompt,” according to the post. “Less than an hour later, several commands were executed via displayswitch[dot]exe to dump credentials from the registry and clear the Windows security event logs. On May 29, the attackers returned and used a renamed version of ProcDump (file name: alg[dot]exe) to dump credentials from LSASS.”

The Symantec researchers added that on May 31, a scheduled task is used to execute oleview[dot]exe, mostly likely to perform side-loading and laterally movement. “Use of Oleview by ShadowPad has been previously documented by Dell Secureworks and was also reported to have been used in attacks against industrial control systems. The command specified that Oleview was to be executed on a remote machine using the task name (TendView) at 07:30 a.m. It appears the attackers likely used stolen credentials in order to spread their malware onto other machines within the network.”

Symantec said that the Redfly malicious activity appeared to cease until July 27, when a keylogger was installed on a machine. “The final evidence of malicious activity came on August 3, when the attackers returned and attempted to dump credentials again using a renamed version of ProcDump. Minutes later, the attackers also attempted to dump credentials from the Windows registry,” they added. 

While attacks against CNI targets are not unprecedented, they remain a source of concern. Almost a decade ago, Symantec uncovered the Russian-sponsored Dragonfly group’s attacks against the energy sectors in the U.S. and Europe. More recently, the Russian Sandworm group mounted attacks against the electricity distribution network in Ukraine, which were directed at disrupting electricity supplies. 

In May, the U.S., U.K,, Australian, Canadian, and New Zealand governments issued a joint alert about cyber hackers targeting CNI organizations in the U.S. using techniques that could potentially be replicated against targets in other countries. The alert followed Microsoft’s report on Volt Typhoon, an espionage actor that compromised several critical infrastructure organizations in the U.S.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.