At the time Recorded Future indicated that the breach seemed to be targeted at acquiring the capability to potentially trigger blackouts in India.
The firm noted that it remained uncertain whether this tactic was primarily intended to convey a message to India or to establish a practical capability in anticipation of potential military conflicts, or possibly a combination of both motivations.
A notorious group of Chinese cyberspies, collectively known as APT41, has gained infamy for orchestrating audacious hacking campaigns tied to China in the last ten years.
Their tactics encompass a wide spectrum, from launching software supply chain attacks that planted malware in popular applications to delving into profit-driven cybercrime, including the brazen theft of pandemic relief funds from the US government. However, it seems that an offshoot of this group has now redirected its focus towards an alarming new target: power grids.
Today, researchers from the Threat Hunter Team at Symantec, a cybersecurity firm under the Broadcom umbrella, unveiled a breach orchestrated by a Chinese hacker group connected to APT41, which Symantec has dubbed “RedFly.”
The breach infiltrated the computer network of a national power grid in an undisclosed Asian country. The intrusion commenced in February of this year and persisted for a minimum of six months, during which the hackers extended their presence across the information technology network of the nation’s principal electric utility.
As of today, there remains a considerable degree of uncertainty surrounding the extent to which these hackers approached the brink of disrupting power generation or transmission.
Dick O’Brien, a principal intelligence analyst on Symantec’s research team says the unnamed country whose grid was targeted in the breach was one that China would “have an interest in from a strategic perspective.
O’Brien points out that Symantec lacks conclusive evidence indicating that the hackers’ primary objective was to disrupt the nation’s power grid. It remains a possibility that their activities were driven by espionage motives.
However, researchers at the cybersecurity firm Mandiant have identified hints suggesting that these hackers could be the same group previously detected targeting electrical utilities in India.
Considering recent alerts regarding Chinese hackers breaching power grid networks in various US states and Guam, with a particular focus on potentially causing blackouts, O’Brien cautions that there is a legitimate basis to suspect that China might be pursuing a similar course of action in this instance.
Accoridng to O’Brien there are all sorts of reasons for attacking critical national infrastructure targets. “You always have to wonder if one of the reasons is to be able to retain a disruptive capability.
“I’m not saying they would use it. But if there are tensions between the two countries, you can push the button.” says O’Brien
Symantec’s discovery emerged in the wake of alerts issued by Microsoft and US government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA).
These warnings centered on a separate Chinese state-sponsored hacking entity called Volt Typhoon, which had successfully infiltrated US electric utilities, including those in Guam—a US territory.
This intrusion raised concerns of potential cyberattacks, especially in the event of a conflict, such as a military standoff related to Taiwan.
In a subsequent report, The New York Times disclosed government officials’ apprehensions, particularly regarding the possibility of the malware being strategically placed within these networks to enable the disruption of power to US military installations.
There is compelling evidence to suggest that both the 2021 hacking campaign centered on India and the recent breach of a power grid, as identified by Symantec, may have been orchestrated by the same group of hackers with affiliations to the larger network of Chinese state-sponsored cyber operatives, commonly referred to as APT41. APT41 is known by various aliases, including Wicked Panda and Barium.
Symantec points out that the hackers responsible for the power grid intrusion they tracked employed a specific malware called ShadowPad.
The malware was first utilised by a subgroup of APT41 in 2017 during a supply chain attack. The attack involved compromising the code distributed by the networking software company NetSarang. ShadowPad has been deployed in various incidents since then.
In 2020, five individuals believed to be members of APT41 were indicted and identified as operatives working for Chengdu 404, a contractor affiliated with China’s Ministry of State Security.
Notably, as recently as last year, the US Secret Service issued a warning regarding APT41 hackers, who were found to have illicitly acquired millions in US Covid-19 relief funds. This incident marked a rare instance of state-sponsored cybercriminal activity targeting another government.
Over the period of several years China’s state-sponsored hacking endeavors have predominantly revolved around espionage.
Meanwhile, other nations such as Russia and Iran have ventured into endeavors aimed at infiltrating electrical utilities, seemingly with the goal of implanting malware capable of instigating strategic blackouts.
A prime example is the Russian military intelligence group Sandworm, which made efforts to induce three blackouts in Ukraine, achieving success in two of these instances.
Furthermore, a Russian group linked to its FSB intelligence agency, known as Berserk Bear, has repeatedly breached the US power grid to acquire a similar capability. Interestingly, they have refrained from any attempts to provoke disruptions in power supply, despite possessing the means to do so.
