In mid-October 2021, Kaspersky ICS CERT discovered a previously unknown Chinese-speaking threat actor attacking telecommunications, manufacturing, and transport organisations in several Asian countries.
During the initial attacks, the group exploited MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims.
A building automation system (BAS) connects all the functions inside the building – from electricity and heating to fire and security – and is managed from one control centre. Once a BAS is compromised, all processes within that organisation are at risk, including those relating to information security.
The experts at Kaspersky ICS CERT witnessed attacks on organisations in Pakistan, Afghanistan, and Malaysia in industrial and telecommunications sector. The attacks had a unique set of tactics, techniques, and procedures (TTPs), which led the experts to believe that the same Chinese-speaking threat actor was behind all of these observed attacks.
Their attention was particularly drawn to the actor’s use of engineering computers in building automation systems, belonging to the companies’ infrastructures, as the point of infiltration – that is unusual for APT groups.
By taking control of those systems, the attacker can reach other, even more sensitive systems of the attacked organisation.
As the investigation showed, the main tool of the APT group is ShadowPad backdoor. Kaspersky has been witnessing this malware being used by various Chinese-speaking APT actors.
During the attacks of the observed actor, the ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software.
In many cases the attacking group exploited a known vulnerability in MS Exchange, and entered the commands manually, that indicates the highly targeted nature of their campaigns.
“The building automation systems are rare targets for advanced threat actors,” comments Kirill Kruglov, security expert at Kaspersky ICS CER. “However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures.
“Since these attacks develop extremely rapidly, they must be detected and mitigated during their very early stages. Thus, our advice is to constantly monitor the mentioned systems, especially in critical sectors.”