In mid-October 2021, Kaspersky’s ICS CERT team discovered a new Chinese-speaking malicious actor targeting transport, production, and telecommunications organizations in several Asian countries. During the initial attacks, the group exploited the MS Exchange vulnerability to deploy the ShadowPad malware and infiltrated the building automation systems of one of the victims.
A building automation system (BAS) connects all the functions present inside the building – from electricity to the heating system to fire safety and security – and is managed from a control centre. Once a BAS is compromised, all procedures within the organization are at risk, including those relating to information security.
Kaspersky ICS CERT experts have witnessed attacks on organizations in Pakistan, Afghanistan and Malaysia in the industrial, telecommunications and telecommunications sectors. The attacks were carried out through unique tactics, techniques and procedures (TTPs), which led experts to believe that the same Chinese-speaking malicious actor was behind all of these attacks. Their attention was particularly drawn to the actor’s use of engineering computers in building automation systems, belonging to corporate infrastructures, as an infiltration point – which is unusual for APT groups. By taking control of these systems, the attacker can reach other, even more sensitive systems of the attacked organization.
The investigation showed that the main tool of the APT group was the Shadowpad backdoor. Kaspersky has witnessed the use of this malware by several Chinese-speaking APT actors. During the observed actor attacks, the ShadowPad backdoor was downloaded onto the attacked computers, disguised as legitimate software. In many cases, the attacking group exploited a known vulnerability in MS Exchange, and entered the commands manually, indicating the highly targeted nature of the attacks.
“Building automation systems are rare targets for advanced threat actors. However, these systems can be a valuable source of highly confidential information and can provide attackers with a back door to other, more secure areas of the infrastructure. As these attacks develop extremely rapidly, they must be detected and mitigated in the early stages. We therefore advise you to constantly monitor the mentioned systems, especially in critical sectors,” comments Kirill Kruglov, security expert at Kaspersky’s ICS CERT.
To keep your OT computers safe from various forms of threats, Kaspersky experts recommend:
Regularly update operating systems and any application software that is part of the company network. Apply security fixes and patches to OT network equipment as they become available.
Perform regular security audits of OT systems to identify and eliminate potential vulnerabilities.
Use OT network traffic monitoring, analysis and detection solutions to better protect against attacks that potentially threaten OT systems and key business assets
Provide dedicated OT security training for IT security teams and OT engineers. This is crucial to improve the response to new and advanced malicious techniques.
Provide the security team responsible for protecting industrial control systems with up-to-date threat intelligence. The ICS Threat Intelligence Reporting service provides insight into today’s threats and attack vectors, as well as the most vulnerable elements of industrial control systems and how to mitigate them.
Use endpoint and OT network security solutions, such as Kaspersky Industrial CyberSecurity, to ensure comprehensive protection of all critical systems.
Protect IT infrastructure. Integrated Endpoint Security protects enterprise endpoints and enables automated threat detection and response capabilities.