- ITDM 2025 전망 | “비전을 품은 기술 투자, 모두가 주춤한 시기에 진가 발휘할 것” 컬리 박성철 본부장
- The Model Context Protocol: Simplifying Building AI apps with Anthropic Claude Desktop and Docker | Docker
- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
- Why I recommend this Android phone for kids over a cheap Samsung or Motorola model
Redfly Group Compromises National Power Grid
Security researchers have revealed a new cyber-espionage campaign in which a threat group compromised multiple computers used to run a national power grid in an unnamed Asian country.
The threat group identified by Symantec as “Redfly” is not attributed to any nation, but two related groups – Blackfly and Greyfly – have been linked closely with China in previous reports.
Redfly used a bespoke version of popular modular remote access Trojan (RAT) ShadowPad, another favorite of Chinese APT groups. The RAT copied itself to disk in several locations, masquerading as VMware files and directories to stay hidden, Symantec said.
Another tool, Packloader, was used to load and execute shellcode, and a keylogger was installed under various names including winlogon.exe and hphelper.exe.
Read more on CNI attacks: NCSC Warns of Destructive Russian Attacks on Critical Infrastructure
The first ShadowPad intrusion was discovered on February 28, with the RAT executed again on May 17.
“On May 31, a scheduled task is used to execute oleview.exe, mostly likely to perform side-loading and lateral movement. Use of Oleview by ShadowPad has been previously documented by Dell Secureworks and was also reported to have been used in attacks against industrial control systems,” Symantec continued.
“The command specified that Oleview was to be executed on a remote machine using the task name (TendView) at 07:30 a.m. It appears the attackers likely used stolen credentials in order to spread their malware onto other machines within the network.”
Although the threat group doesn’t appear to have engaged in active destruction or disruption of the target’s operations, its ability to compromise such a key piece of critical infrastructure (CNI) will alarm some.
It’s illustrative of the growing threat to CNI from state actors. The Five Eyes nations issued a joint alert back in May about Beijing-backed threat actors dubbed “Volt Typhoon” targeting CNI networks in the US.
“Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed disrupt power supplies and other vital services in other states during times of increased political tension,” Symantec concluded.
“While Symantec has not seen any disruptive activity by Redfly, the fact that such attacks have occurred in other regions means they are not outside the bounds of possibility.”