Some evidence suggests the 2021 India-focused hacking campaign and the new power grid breach identified by Symantec were both carried out by the same team of hackers with links to the broad umbrella group of Chinese state-sponsored spies known as APT41, which is sometimes called Wicked Panda or Barium. Symantec notes that the hackers whose grid-hacking intrusion it tracked used a piece of malware known as ShadowPad, which was deployed by an APT41 subgroup in 2017 to infect machines in a supply chain attack that corrupted code distributed by networking software firm NetSarang and in several incidents since then. In 2020, five alleged members of APT41 were indicted and identified as working for a contractor for China’s Ministry of State Security known as Chengdu 404. But even just last year, the US Secret Service warned that hackers within APT41 had stolen millions in US Covid-19 relief funds, a rare instance of state-sponsored cybercrime targeting another government.
Although Symantec didn’t link the grid-hacking group it’s calling RedFly to any specific subgroup of APT41, researchers at cybersecurity firm Mandiant point out that both the RedFly breach and the years-earlier Indian grid-hacking campaign used the same domain as a command-and-control server for their malware: Websencl.com. That suggests the RedFly group may in fact be tied to both cases of grid hacking, says John Hultquist, who leads threat intelligence at Mandiant. (Given that Symantec wouldn’t name the Asian country whose grid RedFly targeted, Hultquist adds that it may in fact be India again.)
More broadly, Hultquist sees the RedFly breach as a troubling sign that China is shifting its focus toward more aggressive targeting of critical infrastructure like power grids. For years, China largely focused its state-sponsored hacking on espionage, even as other nations like Russia and Iran have attempted to breach electrical utilities in apparent attempts to plant malware capable of triggering tactical blackouts. The Russian military intelligence group Sandworm, for example, has attempted to cause three blackouts in Ukraine—two of which succeeded. Another Russian group tied to its FSB intelligence agency known as Berserk Bear has repeatedly breached the US power grid to gain a similar capability, but without ever attempting to cause a disruption.
Given this most recent Chinese grid breach, Hultquist argues it’s now beginning to appear that some Chinese hacker teams may have a similar mission to that Berserk Bear group: to maintain access, plant the malware necessary for sabotage, and wait for the order to deliver the payload of that cyberattack at a strategic moment. And that mission means the hackers Symantec caught inside the unnamed Asian country’s grid will almost certainly return, he says.
“They have to maintain access, which means they’re probably going to go right back in there. They get caught, they retool, and they show up again,” says Hultquist. “The major factor here is their ability to just stay on target—until it’s time to pull the trigger.”