China caught – again – with its malware in another nation's power grid

'Obtaining a disruptive capability could be one possible motivation behind this surge in attacks'

Espionage-ware thought to have been developed by China has once again been spotted within the power grid of a neighboring nation.

According to Symantec's Threat Hunter Team on Tuesday, a team dubbed Redfly infiltrated the national grid of an unnamed Asian nation using the ShadowPad Trojan, stole credentials, installed additional malware, and moved laterally to multiple systems on the infected network during six months of persistent access. 

If that sounds familiar, there's a good reason why: ShadowPad was the Windows malware used by what's believed to have been a Beijing-backed crew to infect the Indian power grid near the border with China last year. In that attack, the snoops are believed to have infiltrated the grid's computer systems via vulnerable internet-facing devices – think IP cameras, DVRs, and the like – to install ShadowPad.

Symantec didn't mention an ingress route in this latest attack – only that it began from a single compromised computer. 

In this intrusion, ShadowPad masqueraded as VMware program files and directories to hide itself. Once in place, it unloaded additional tools including a keylogger and something that decrypted payloads of encrypted code to run.

According to Symantec, a variant of ShadowPad was used in the attack, with a direct relationship to the hit on India last year: it used the same hardcoded remote command-and-control (C2) server. While not drawing conclusions, Symantec Threat Hunter Team principal intelligence analyst Dick O'Brien told us the same infrastructure was definitely used. 

"It's possible they're the same actor," O'Brien told The Register, but "[the use of ShadowPad] and the C2 overlap … is the extent of the link at the moment."

Redfly – if it's the same team that went after India earlier – appears to be focused on such state-level attacks, forgoing more lucrative commercial targets in favor of those with high intelligence value.

Whoever it is, the infrastructure attacks are just beginning

The Redfly intrusion didn't result in any disruption, Symantec said, but it's not the only unwanted probing of critical national infrastructure (CNI) that's happened recently.

Five Eyes security agencies warned in May of Chinese crews perpetuating living-off-the-land attacks to gain persistent access to critical infrastructure systems in the US – similar to what Redfly did in the grid of its unnamed Asian target. 

China isn't the only country known to attack infrastructure, either. Russia has been screwing with Ukraine all the way through the former's invasion of the latter, and long before that conflict kicked off. The US and Israel knackered crucial machinery at Iran's uranium-enrichment plant, if you can recall. Those are just two examples.

And things aren't getting any better. "The frequency at which CNI organizations are being attacked appears to have increased over the past year and is now a source of concern," Symantec warned. 

"Obtaining a disruptive capability could be one possible motivation behind this surge in CNI attacks," O'Brien told us, meaning whoever's using ShadowPad has added some functionality that could have real-world effects.

While Symantec noted the intrusion it spotted was restricted to the power grid, O'Brien noted that Microsoft's observations of similar attacks launched by the China-linked Volt Typhoon crew weren't as focused. 

"They listed communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors," O'Brien said. In other words, it's high time for those in the critical infrastructure world, regardless of their particular sector, to start keeping an eye on threat intelligence reports and developing good patch habits. ®

More about


Send us news

Other stories you might like