The loose nexus of Chinese-origin cyberspies collectively called APT41 is known for carrying out some of the most brazen hacking schemes linked to China over the past decade. Its methods range from a spree of software supply chain attacks that planted malware in popular applications to a sideline in profit-focused cybercrime that went so far as to steal pandemic relief funds from the US government. Now, an apparent offshoot of the group appears to have turned its focus to another worrying category of target: power grids.
Today, researchers on the Threat Hunter Team at Broadcom-owned security firm Symantec revealed that a Chinese hacker group with connections to APT41, which Symantec is calling RedFly, breached the computer network of a national power grid in an Asian country—though Symantec has declined to name which country was targeted. The breach began in February of this year and persisted for at least six months as the hackers expanded their foothold throughout the IT network of the country’s national electric utility, though it’s not clear how close the hackers came to gaining the ability to disrupt power generation or transmission.
The unnamed country whose grid was targeted in the breach was one that China would “have an interest in from a strategic perspective,” hints Dick O’Brien, a principal intelligence analyst on Symantec’s research team. O’Brien notes that Symantec doesn’t have direct evidence that the hackers were focused on sabotaging the country’s grid, and says it’s possible they were merely carrying out espionage. But other researchers at security firm Mandiant point to clues that these hackers may be the same ones that had been previously discovered targeting electrical utilities in India. And given recent warnings about China’s hackers breaching power grid networks in US states and in Guam—and specifically laying the groundwork to cause blackouts there—O’Brien warns there’s reason to believe China may be doing the same in this case.
“There are all sorts of reasons for attacking critical national infrastructure targets,” says O’Brien. “But you always have to wonder if one [reason] is to be able to retain a disruptive capability. I’m not saying they would use it. But if there are tensions between the two countries, you can push the button.”
Symantec’s discovery comes on the heels of warnings from Microsoft and US agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) that a different Chinese state-sponsored hacking group known as Volt Typhoon had penetrated US electric utilities, including in the US territory of Guam—perhaps laying the groundwork for cyberattacks in the event of a conflict, such as a military confrontation over Taiwan. The New York Times later reported that government officials were particularly concerned that the malware had been placed in those networks to create the ability to cut power to US military bases.
In fact, fears of a renewed Chinese interest in hacking power grids stretch back to two years ago, when cybersecurity firm Recorded Future warned in February 2021 that Chinese state-sponsored hackers had placed malware in power grid networks in neighboring India—as well as railways and seaport networks—in the midst of a border dispute between the two countries. Recorded Future wrote at the time that the breach appeared to be aimed at gaining the ability to cause blackouts in India, though the firm said it wasn’t clear whether the tactic was designed to send a message to India or to gain a practical capability in advance of military conflict, or both.
Some evidence suggests the 2021 India-focused hacking campaign and the new power grid breach identified by Symantec were both carried out by the same team of hackers with links to the broad umbrella group of Chinese state-sponsored spies known as APT41, which is sometimes called Wicked Panda or Barium. Symantec notes that the hackers whose grid-hacking intrusion it tracked used a piece of malware known as ShadowPad, which was deployed by an APT41 subgroup in 2017 to infect machines in a supply chain attack that corrupted code distributed by networking software firm NetSarang and in several incidents since then. In 2020, five alleged members of APT41 were indicted and identified as working for a contractor for China’s Ministry of State Security known as Chengdu 404. But even just last year, the US Secret Service warned that hackers within APT41 had stolen millions in US Covid-19 relief funds, a rare instance of state-sponsored cybercrime targeting another government.
Although Symantec didn’t link the grid-hacking group it’s calling RedFly to any specific subgroup of APT41, researchers at cybersecurity firm Mandiant point out that both the RedFly breach and the years-earlier Indian grid-hacking campaign used the same domain as a command-and-control server for their malware: Websencl.com. That suggests the RedFly group may in fact be tied to both cases of grid hacking, says John Hultquist, who leads threat intelligence at Mandiant. (Given that Symantec wouldn’t name the Asian country whose grid RedFly targeted, Hultquist adds that it may in fact be India again.)
More broadly, Hultquist sees the RedFly breach as a troubling sign that China is shifting its focus toward more aggressive targeting of critical infrastructure like power grids. For years, China largely focused its state-sponsored hacking on espionage, even as other nations like Russia and Iran have attempted to breach electrical utilities in apparent attempts to plant malware capable of triggering tactical blackouts. The Russian military intelligence group Sandworm, for example, has attempted to cause three blackouts in Ukraine—two of which succeeded. Another Russian group tied to its FSB intelligence agency known as Berserk Bear has repeatedly breached the US power grid to gain a similar capability, but without ever attempting to cause a disruption.
Given this most recent Chinese grid breach, Hultquist argues it’s now beginning to appear that some Chinese hacker teams may have a similar mission to that Berserk Bear group: to maintain access, plant the malware necessary for sabotage, and wait for the order to deliver the payload of that cyberattack at a strategic moment. And that mission means the hackers Symantec caught inside the unnamed Asian country’s grid will almost certainly return, he says.
“They have to maintain access, which means they’re probably going to go right back in there. They get caught, they retool, and they show up again,” says Hultquist. “The major factor here is their ability to just stay on target—until it’s time to pull the trigger.”