Chinese Redfly Group Compromised a Nation's Critical Grid in 6-Month ShadowPad Campaign

2023-09-12 10:18

A threat actor called Redfly has been linked to a compromise of a national grid located in an unnamed Asian country for as long as six months earlier this year using a known malware referred to as ShadowPad. "The attackers managed to steal credentials and compromise multiple computers on the organization's network," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

The earliest sign of an attack targeting the Asian entity is said to have been recorded on February 23, 2023, when ShadowPad was executed on a single computer, followed by running the backdoor three months later on May 17.

"On May 29, the attackers returned and used a renamed version of ProcDump to dump credentials from LSASS," Symantec said.

Symantec said the campaign shares infrastructure and tooling overlaps with previously identified activity attributed to the Chinese state-sponsored group referred to as APT41, with Redly almost exclusively focusing on targeting critical infrastructure entities.

"Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in other states during times of increased political tension," the company said.

"Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms," the tech giant said.

News URL

https://thehackernews.com/2023/09/chinese-redfly-group-compromised.html

#chinese #critical