APT uses ShadowPad backdoor and MS Exchange vulnerability to attack building automation systems

Woburn, MA – June 22, 2027 – In October 2021, Kaspersky ICS CERT discovered a previously unknown Chinese-speaking threat actor attacking telecommunications, manufacturing, and transport organizations in several Asian countries. During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims.

A building automation system (BAS) connects all the functions inside the building, from electricity and heating to fire and security, and is managed from one control center. Once a BAS is compromised, all processes within that organization are at risk, including those relating to information security.

The experts at Kaspersky ICS CERT witnessed attacks on organizations in Pakistan, Afghanistan, and Malaysia in the industrial and telecommunications sectors. The attacks had a unique set of tactics, techniques, and procedures (TTPs), which led the experts to believe that the same Chinese-speaking threat actor was behind all of these observed attacks. Their attention was particularly drawn to the actor’s use of engineering computers in building automation systems as the point of infiltration, an unusual move for an APT group. By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization.

The investigation showed that the main tool of the APT group is ShadowPad backdoor. Kaspersky has witnessed this malware being used by various Chinese-speaking APT actors. During the attacks of the observed actor, the ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software. In many cases, the attacking group exploited a known vulnerability in MS Exchange, and entered the commands manually, indicating the highly targeted nature of their campaigns.

“Building automation systems are rare targets for advanced threat actors,” said Kirill Kruglov, security expert at Kaspersky ICS CERT. “However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures. Since these attacks develop extremely rapidly, they must be detected and mitigated during their very early stages. Thus, our advice is to constantly monitor the mentioned systems, especially in critical sectors.”

Learn more about the attacks through building automation systems on Kaspersky’s ICS CERT website.

To keep your OT computers protected from various threats, Kaspersky experts recommend:

·       Regularly updating operating systems and any application software that are part of the enterprise’s network. Apply security fixes and patches to OT network equipment as soon as they are available.

·       Conducting regular security audits of OT systems to identify and eliminate possible vulnerabilities.

·       Using OT network traffic monitoring, analysis and detection solutions for better protection from attacks that potentially threaten OT systems and main enterprise assets.

·       Providing dedicated OT security training for IT security teams and OT engineers. This is crucial to improve response to new and advanced malicious techniques.

·       Providing the security team responsible for protecting industrial control systems with up-to-date threat intelligence. ICS Threat Intelligence Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements in OT and how to mitigate them.

·       Using security solutions for OT endpoints and networks such as Kaspersky Industrial CyberSecurity to ensure comprehensive protection for all critical systems.

·       Protecting IT infrastructure. Integrated Endpoint Security protects corporate endpoints and enables automated threat detection and response capabilities.

About Kaspersky ICS CERT

Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. Kaspersky ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats. ics-cert.kaspersky.com