Chinas Winnti APT Compromises National Grid in Asia for 6 Months

Attacks against critical infrastructure are becoming more commonplace and, if a recent PRC-sponsored attack is anything to go by, easier to pull off.

A Chinese threat actor managed to breach the national power grid in an unnamed Asian country earlier this year, compromising multiple computers and using a popular remote access Trojan (RAT) to steal sensitive data.
The perpetrator — an entity within Winnti Group, also known as APT41, Bronze Atlas — has a history of taking on some of the most high-level cyber espionage conducted by the Peoples Republic of China (PRC), including
campaigns against hostile governments
and industries abroad. Its wide-ranging and successful campaigns have earned it
attention from international law enforcement
to a degree matched only by the worlds most prolific nation-state and cybercriminal groups.
In this latest campaign, a subsect within Winnti known as Redfly or Red Echo managed to occupy the network of an Asian national electricity provider for half a year, deploying a Trojan called ShadowPad to harvest credentials and obtain privileged information.
According to Dick OBrien, principal intelligence analyst for the Symantec threat hunter team, this latest case of critical infrastructure attack signals a worrying trend for the sector on the whole. I think it can be very easy to hear the warnings but not to do anything until something really bad happens, he warns. The worst case scenario is quite rare, but it does happen from time to time.
Researchers from Symantec traced the campaign
back to Feb. 28 when ShadowPad was deployed in a single computer in the target network.
ShadowPad, first discovered eight years ago, is
a modular backdoor in shellcode format
. Like its successor —
the long-running PlugX family of Trojans
— it was at one point briefly shared with select buyers in the cyber underground, but is generally seen in correlation with Chinese state-sponsored attacks.
In this campaign, the attackers used a distinct variant of ShadowPad which copies itself to disk, disguised as VMWare files and directories.
Redfly deployed ShadowPad for a second time in the target network on May 17, indicating that it had maintained persistence in the three months interim.
In the following days and weeks, Redfly began to flex its muscle. On May 19, for instance, it
performed DLL sideloading to drop a payload
, then used Powershell to get information about storage devices attached to the system. On May 26, it dumped credentials from the %TEMP% registry and cleared Windows security event logs. By May 31, itd used its stolen credentials to spread its malware to further machines in the network.
On July 27, Redfly dropped a keylogger, stored under various file names on various computers. And on its final day of malicious activity, Aug. 3, Redfly attempted to dump credentials from the Windows registry.
An attack against a national grid just doesnt pack the same punch today as it wouldve years ago.
While Winnti was running through this Asian grid provider in May, Microsoft revealed that a different Chinese APT, Volt Typhoon, had
compromised US critical infrastructure organizations
, an attack which somehow later turned out to be
even worse than initially thought
. That campaign inspired
a joint statement
from multiple worldwide law enforcement agencies.
Indeed, while
Russias destructive attacks earn the biggest headlines
, Chinas espionage campaigns are arguably just as common in the critical infrastructure space.
Researchers from Symantec track
multiple subgroups within Winnti including Blackfly
, Greyfly, and, in this case, Redfly (aka Red Echo). Redfly, they say, is a subsect solely focused on national critical infrastructure attacks. And this latest campaign likely isnt their first foray into national electric grid hacks, having pulled off
a similar feat in India
two years ago, according to the cybersecurity firm Recorded Future.
Exactly why Chinese APTs have taken such an interest in critical industries remains unclear. OBrien speculates it may have to do with political tensions, energy market trends, or intellectual property theft, but theres no saying for certain. We dont know the minds of the attackers, so we can only give an educated guess, he warns.
Luckily, he adds, the US and certain other Western countries are well aware of the threat. The United States is pretty clued in, at this stage, to the threat that cyber could pose to critical infrastructure, and what needs to be done in terms of supporting the organizations who are behind that critical infrastructure. For other countries, it varies.
In fact, he adds, other countries can maybe learn from their approach — of how CISA has taken up the challenge here.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinas Winnti APT Compromises National Grid in Asia for 6 Months