Symantec’s Threat Hunter Team recently uncovered a cyber attack on the national energy infrastructure of an undisclosed Asian country. The attack, carried out using the Shadowpad Trojan, allowed the attackers to steal accounts, introduce additional malware, and maintain access to the infected network for a staggering six months.
The origins of the attack are not clearly specified, though Symantec has revealed that it all began with a single infected computer. Shadowpad, a malicious Windows malware, disguised itself as files and directories from the VMware program in order to conceal its presence. The attackers then loaded additional tools, including Keilger, to further exploit the compromised network.
Interestingly, Symantec has linked this attack to a previous one conducted by Chinese hackers near the India-China border. Both attacks utilized the same remote control server and shared infrastructure. Although conclusive evidence is still being gathered, Symantec’s Threat Hunter Team analyst, Dick O’Brien, confirmed the similarities between the two incidents.
The Redfly team, responsible for the investigation, is reportedly focused on state-scale attacks, showing a disregard for commercial targets and prioritizing objects of high intelligence value.
While there were no immediate disruptions resulting from the Redfly attack, Symantec highlights that unauthorized access to critical national infrastructure is an ongoing issue. In fact, a research group has expressed concern about the increasing frequency of such attacks over the past year.[