There are indications that the culprits are affiliated with a notorious Chinese hacking group that may have also hacked Indian power companies a few years ago.
The loose Chinese cyberespionage group, known collectively as APT41, is known for carrying out some of the most blatant China-related hacking schemes of the past decade. The methods vary from mass software supply chain attacks that plant malware in popular applications to profit-focused cybercrime side projects and even theft of U.S. government pandemic relief funds. Now, an apparent offshoot of the group appears to have shifted its focus to another worrisome target category: the electrical grid.
Today, researchers from the Threat Hunters team at Broadcom-owned security company Symantec revealed that a Chinese hacking group linked to APT41, which Symantec calls RedFly, broke into the computer network of an Asian country’s national grid, despite Symantec has declined to identify which country was targeted. The breach began in February and lasted for at least six months, with hackers expanding their foothold into the country’s national power utility’s IT network, although it’s unclear how close the hackers were to gaining the ability to disrupt generation or electricity. spread.
Dick O’Brien, chief intelligence analyst for Symantec Research, suggested that China is “strategically interested in this unnamed power grid target country.” O’Brien noted that Symantec had no direct evidence that the hackers were focused on disrupting the nation’s power grid and said they may have been simply conducting espionage. But other researchers at security firm Mandiant have pointed to clues that suggest the hackers may be the same ones previously discovered targeting Indian power companies. In light of recent warnings about Chinese hackers disrupting power grids in U.S. states and Guam, specifically laying the groundwork to cause blackouts there, O’Brien warned there’s reason to believe China might do the same thing in this scenario.
“There are a variety of reasons for attacking critical national infrastructure targets,” O’Brien said. “But you always wonder if anyone [reason] It is to be able to retain the ability to be disruptive. I’m not saying they will use it. But if there is tension between the two countries, you can push the button. “
Symantec’s discovery follows warnings from Microsoft and U.S. agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) about another Chinese state-backed hacking group called Volt Typhoon has penetrated U.S. power companies, including the U.S. territory of Guam—perhaps laying the groundwork for cyberattacks in the event of a conflict, such as a military confrontation over Taiwan. New York Times It was later reported that government officials were particularly concerned about malware being placed in these networks to create the ability to cut power to U.S. military bases.
In fact, concerns about China’s renewed interest in hacking the power grid date back to two years ago, when cybersecurity firm Recorded Future warned in February 2021 that Chinese state-backed hackers had targeted power grid networks in neighboring India as well as railways implanted malware and seaport networks – amid a border dispute between the two countries. Recorded Future wrote at the time that the breach appeared to be aimed at gaining the ability to cause blackouts in India, though the company said it was unclear whether the strategy was to send a message to India or to gain actual ability to cause blackouts in India. the progression of a military conflict, or both.
Some evidence suggests that the 2021 hacking campaign targeting India and the new grid vulnerabilities discovered by Symantec were carried out by the same hacking team, which has ties to the Chinese state-sponsored espionage group APT41 (sometimes called APT41) connect. Evil panda or barium. Symantec noted that the hackers it tracked for the Grid hack used a piece of malware called ShadowPad, which was deployed by the APT41 subgroup in 2017 to infect machines in a supply chain attack that The code was compromised and distributed by network software company NetSarang, and has occurred in multiple incidents since then. In 2020, five alleged APT41 members were indicted and identified as working for a Chinese Ministry of State Security contractor called “Chengdu 404.” But just last year, the U.S. Secret Service warned that hackers within APT41 had stolen millions of dollars in U.S. coronavirus assets. 19 relief fund, a rare example of state-sponsored cybercrime targeting another government.
Although Symantec has not linked the power grid hacking group it calls RedFly to any specific subgroup of APT41, researchers at cybersecurity firm Mandiant noted that the RedFly vulnerability was used in an Indian power grid hacking campaign several years ago. The same domain serves as the control server that commands its malware: Websencl.com. John Hultquist, head of threat intelligence at Mandiant, said this suggests that the RedFly group may actually be related to the two power grid hacking incidents. (Given that Symantec did not name the Asian country targeted by RedFly’s power grid attack, Hultquist added that it may actually have been India again.)
More broadly, Hultquist sees the RedFly breach as a troubling sign that China is shifting its focus to more aggressively targeting critical infrastructure like its power grid. For years, China has focused its state-sponsored hacking efforts primarily on espionage, although other countries such as Russia and Iran have also attempted to disrupt power facilities in an apparent attempt to plant malware capable of triggering tactical blackouts. For example, the Russian military intelligence organization Sandworm attempted to cause blackouts in Ukraine three times, two of which were successful. Another Russian group with ties to Russia’s FSB intelligence agency, Berserk Bear, has repeatedly hacked into the U.S. power grid to gain similar capabilities but never attempted to cause damage.
In light of recent Chinese power grid breaches, Hultqvist believes there are now emerging groups of Chinese hackers who may have a similar mission to the Berserk Bear group: maintain access, plant the malware needed to cause damage, and wait for orders. Deliver the payload of this cyber attack at a strategic moment. He said the mission means hackers Symantec caught working on the unnamed Asian country’s power grid are almost certain to come back.
“They have to maintain access, which means they could go right back out there. They get caught, re-equip, and show up again,” Hutquist said. “The main factor here is their ability to keep the target intact – until it’s time to pull the trigger.”