Application Security

Chinese hackers target building management systems

Chinese hackers target building management systems
Written by ga_dahmani
Chinese hackers target building management systems

Kaspersky threat hunters have uncovered a series of attacks targeting organizations in the telecommunications, transportation and industrial sectors using the ShadowPad backdoor.

The campaign affected manufacturing and telecommunications industries in Afghanistan and Pakistan, and a logistics and transportation organization (a port) in Malaysia.

Kaspersky initially identified the ShadowPad backdoor in industrial control systems (ICS) at a telecommunications company in Pakistan, where attackers targeted engineering computers in building automation systems. The investigation uncovered extensive online activity, along with other victims’ organizations in Pakistan, Afghanistan and Malaysia.

The attack stood out because it is not common for threat actors to target building automation systems and use them as an infiltration point. From these devices, attackers can move on to more valuable systems.

“Building automation systems are rare targets for advanced threat actors,” said Kirill Kruglov, security expert at Kaspersky ICS CERT. “However, those systems can be a valuable source of highly sensitive information and can provide attackers with a backdoor to other, more secure areas of infrastructure.”

Between March and October 2021, the ShadowPad backdoor was deployed on victim networks along with tools such as the Cobalt Strike framework, Mimikatz, the PlugX backdoor, credential stealers, web shells, and the Nextnet network scanning utility.

According to Kaspersky, the unique set of tactics, techniques, and procedures (TTPs) used in these attacks suggests that a single Chinese-speaking threat actor was likely behind them. The purpose of the campaign seems to be data collection, but security researchers are not sure.

An exploit for a vulnerability in Microsoft Exchange (CVE-2021-26855) was leveraged for initial access in at least some of the attacks. Multiple threat actors began exploiting the vulnerability immediately after it was publicly reported in March 2021.

On the compromised systems, the ShadowPad backdoor was implemented as mscoree.dll and launched by the legitimate application AppLaunch.exe, which was placed in the same folder as ShadowPad. The attackers created a scheduled task to run AppLaunch.exe.

In October 2021, the attacker switched to a new version of the malware and a new execution scheme, relying instead on DLL hijacking. Kaspersky researchers identified a total of 25 unique modifications.

On some computers within the target organizations, the researchers also identified commands that had been executed remotely via the command line interface. Initially, the attackers executed the commands manually, but later switched to deploying scripts containing the same script.

The attackers used these commands to gather information about the users on the compromised machines, gather network connection details, copy files from the desktop to the Recycle Bin folder, check for available Internet services, mount a network drive, save a key log containing NTLM hash to disk, start Mimikaz, archive collected files, and scan hosts on the network.

The threat actor stole the domain authentication credentials of at least one account in each of the targeted organizations and used these credentials to move laterally in the network. Kaspersky also discovered that the attackers used command and control (C&C) domains hosted on leased dedicated Choopa servers.

“We believe with a high degree of confidence that a Chinese-speaking threat actor is behind the activity described in this report. There are some minor references to HAFNUIM, a Chinese-speaking threat actor, but not enough to speak of HAFNUM’s involvement. […] with a high degree of confidence,” says Kaspersky.

Related: Chinese ‘Bronze Starlight’ APT uses ransomware to disguise cyber espionage

Related: Chinese Hackers Abuse Cybersecurity Products to Run Malware

Related: Chinese Hackers Target Hong Kong Universities With New Backdoor Variant

watch counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Ionut Arghire Columns:

About the author


Leave a Comment