Some grounds suggests the 2021 India-focused hacking tally and the caller powerfulness grid breach identified by Symantec were immoderate carried retired by the aforesaid squad of hackers with links to the wide umbrella extremist of Chinese state-sponsored spies known arsenic APT41, which is sometimes called Wicked Panda oregon Barium. Symantec notes that the hackers whose grid-hacking intrusion it tracked utilized a accusation of malware known arsenic ShadowPad, which was deployed by an APT41 subgroup palmy 2017 to infect machines palmy a proviso concatenation onslaught that corrupted codification distributed by networking bundle steadfast NetSarang and palmy respective incidents since then. In 2020, 5 alleged members of APT41 were indicted and identified arsenic moving for a contractor for China's Ministry of State Security known arsenic Chengdu 404. But adjacent conscionable past year, the US Secret Service warned that hackers incorrect APT41 had stolen millions palmy US Covid-19 alleviation funds, a uncommon suit of state-sponsored cybercrime targeting antithetic government.
Although Symantec didn't nexus the grid-hacking extremist it's calling RedFly to immoderate circumstantial subgroup of APT41, researchers astatine cybersecurity steadfast Mandiant constituent retired that immoderate the RedFly breach and the years-earlier Indian grid-hacking tally utilized the aforesaid domain arsenic a command-and-control server for their malware: Websencl.com. That suggests the RedFly extremist whitethorn palmy accusation beryllium tied to immoderate cases of grid hacking, says John Hultquist, who leads menace premier astatine Mandiant. (Given that Symantec wouldn't authorisation the Asian authorities whose grid RedFly targeted, Hultquist adds that it whitethorn palmy accusation beryllium India again.)
More broadly, Hultquist sees the RedFly breach arsenic a troubling question that China is shifting its absorption toward overmuch assertive targeting of captious infrastructure akin powerfulness grids. For years, China mostly focused its state-sponsored hacking connected espionage, adjacent arsenic antithetic nations akin Russia and Iran idiosyncratic attempted to breach electrical utilities palmy evident attempts to works malware susceptible of triggering tactical blackouts. The Russian taxable premier extremist Sandworm, for example, has attempted to basal 3 blackouts palmy Ukraine—two of which succeeded. Another Russian extremist tied to its FSB premier bureau known arsenic Berserk Bear has repeatedly breached the US powerfulness grid to summation a akin capability, but without ever attempting to basal a disruption.
Given this astir caller Chinese grid breach, Hultquist argues it's contiguous opening to look that immoderate Chinese hacker teams whitethorn idiosyncratic a akin ngo to that Berserk Bear group: to enactment access, works the malware indispensable for sabotage, and clasp for the bid to contiguous the payload of that cyberattack astatine a strategical moment. And that ngo means the hackers Symantec caught incorrect the unnamed Asian country's grid volition astir surely return, helium says.
“They idiosyncratic to enactment access, which means they're astir apt going to spell adjacent backmost palmy there. They get caught, they retool, and they amusement up again,” says Hultquist. “The ample basal contiguous is their premier to conscionable enactment connected target—until it's clip to propulsion the trigger.”