China's Winnti APT Compromises National Grid in Asia for 6 Months

A Chinese threat actor managed to breach the national power grid in an unnamed Asian country earlier this year, compromising multiple computers and using a popular remote access Trojan (RAT) to steal sensitive data.

The perpetrator — an entity within Winnti Group, also known as APT41, Bronze Atlas — has a history of taking on some of the most high-level cyber espionage conducted by the People's Republic of China (PRC), including campaigns against hostile governments and industries abroad. Its wide-ranging and successful campaigns have earned it attention from international law enforcement to a degree matched only by the world's most prolific nation-state and cybercriminal groups.

In this latest campaign, a subsect within Winnti known as "Redfly" or "Red Echo" managed to occupy the network of an Asian national electricity provider for half a year, deploying a Trojan called "ShadowPad" to harvest credentials and obtain privileged information.

According to Dick O'Brien, principal intelligence analyst for the Symantec threat hunter team, this latest case of critical infrastructure attack signals a worrying trend for the sector on the whole. "I think it can be very easy to hear the warnings but not to do anything until something really bad happens," he warns. "The worst case scenario is quite rare, but it does happen from time to time."

Winnti Attack Against a Grid

Researchers from Symantec traced the campaign back to Feb. 28 when ShadowPad was deployed in a single computer in the target network.

ShadowPad, first discovered eight years ago, is a modular backdoor in shellcode format. Like its successor — the long-running PlugX family of Trojans — it was at one point briefly shared with select buyers in the cyber underground, but is generally seen in correlation with Chinese state-sponsored attacks.

In this campaign, the attackers used a distinct variant of ShadowPad which copies itself to disk, disguised as VMWare files and directories.

Redfly deployed ShadowPad for a second time in the target network on May 17, indicating that it had maintained persistence in the three months interim.

In the following days and weeks, Redfly began to flex its muscle. On May 19, for instance, it performed DLL sideloading to drop a payload, then used Powershell to get information about storage devices attached to the system. On May 26, it dumped credentials from the %TEMP% registry and cleared Windows security event logs. By May 31, it'd used its stolen credentials to spread its malware to further machines in the network.

On July 27, Redfly dropped a keylogger, stored under various file names on various computers. And on its final day of malicious activity, Aug. 3, Redfly attempted to dump credentials from the Windows registry.

More Attackers Targeting Critical Infrastructure

An attack against a national grid just doesn't pack the same punch today as it would've years ago.

While Winnti was running through this Asian grid provider in May, Microsoft revealed that a different Chinese APT, Volt Typhoon, had compromised US critical infrastructure organizations, an attack which somehow later turned out to be even worse than initially thought. That campaign inspired a joint statement from multiple worldwide law enforcement agencies.

Indeed, while Russia's destructive attacks earn the biggest headlines, China's espionage campaigns are arguably just as common in the critical infrastructure space.

Researchers from Symantec track multiple subgroups within Winnti including Blackfly, Greyfly, and, in this case, Redfly (aka Red Echo). Redfly, they say, is a subsect solely focused on national critical infrastructure attacks. And this latest campaign likely isn't their first foray into national electric grid hacks, having pulled off a similar feat in India two years ago, according to the cybersecurity firm Recorded Future.

Exactly why Chinese APTs have taken such an interest in critical industries remains unclear. O'Brien speculates it may have to do with political tensions, energy market trends, or intellectual property theft, but there's no saying for certain. "We don't know the minds of the attackers, so we can only give an educated guess," he warns.

Luckily, he adds, the US and certain other Western countries are well aware of the threat. "The United States is pretty clued in, at this stage, to the threat that cyber could pose to critical infrastructure, and what needs to be done in terms of supporting the organizations who are behind that critical infrastructure. For other countries, it varies."

In fact, he adds, other countries can "maybe learn from their approach — of how CISA has taken up the challenge here."