Entities attacked through building automation systems
Kaspersky ICS CERT has discovered a previously unknown Chinese-speaking threat actor who is attacking telecommunications, manufacturing, and transport entities in several Asian countries.
The initial attacks saw the group exploit an MS Exchange vulnerability to deploy ShadowPad malware to infiltrate building automation systems (BAS) at of one of the victims.
A BAS connects all the functions inside the building, such as electricity, heating, and security, and is managed from a single control centre.
Once compromised, all processes within that organisation are at risk, including those relating to information security.
Researchers at the security giant noted attacks on organisations in Pakistan, Afghanistan, and Malaysia in industrial and telecommunications sector.
The attacks employed a unique set of tactics, techniques, and procedures, which led the experts to believe that the same Chinese-speaking threat actor was behind them all.
What stood out for them, was the actor’s use of engineering computers in BAS systems as the point of infiltration, as they say it is unusual for APT groups.
By taking control over those systems, the attacker could reach other, even more sensitive systems within the targeted organisation.
As the investigation revealed that the main tool used by the APT group was the ShadowPad backdoor, a piece of malware used by several Chinese-speaking APT actors.
the backdoor was downloaded onto the attacked computers under the guise of legitimate software.
In many cases the APT group exploited a known vulnerability in MS Exchange, and entered the commands manually, indicating the highly targeted nature of their campaigns.
Kirill Kruglov, security expert at Kaspersky ICS CERT, says BAS are rare targets for advanced threat actors.
“However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures," he adds.
Since these attacks develop extremely rapidly, Kruglov says they need to be detected and mitigated during their very early stages. "Thus, our advice is to constantly monitor the mentioned systems, especially in critical sectors.”