Six Month Intrusion of an Asian Electrical Company

Category: Threat Actor Activity | Industry: Critical Infrastructure | Source: Symantec

In a six-month intrusion beginning on February 28th, 2023, threat actors tracked as Redfly were discovered to have compromised a national grid organization located in an Asian country. Symantec's Threat Hunter team reported and analyzed the attacker's activities which ceased on August 3rd. During this intrusion, the attackers were observed compromising credentials, installing keyloggers, drop loaders, and moving laterally to infect additional hosts on the network. Notably, Symantec's tracking of this threat actor revealed a clear focus on organizations associated with critical infrastructure.

While the first signs of intrusion were detected on February 28th, the attacker maintained a low profile until May 16th. When they began executing scripts and loaders and gathering credentials from the registry. Their attack progressed intermittently through the month of May, with notable activities on the 17th, 19th, 26th, 29th, and 31st, with the deployment of several malicious payloads, gathering system information, additional credential theft from the registry, clearing security logs, and establishing persistence with a scheduled task on May 31st. Redfly's activity did not pick up again until July 27th, marked by the deployment of a keylogger. Their final activity took place on August 3rd, with credentials dumped from LSASS using a renamed ProcDump executable followed by additional credential theft from the registry once again.

Redfly's persistent targeting of critical infrastructure organizations represents a troubling trend among threat actors, as it underscores their intent to disrupt essential services within this sector. Symantec warns threat actors "maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension."