Cybersecurity experts have discovered a previously undiscovered Chinese-speaking threat actor attacking telecommunications, manufacturing and transportation organizations in several Asian countries. During the initial attack, the group exploited the MS Exchange vulnerability to distribute Shadow Pad malware and infiltrate its victim’s building automation systems.
Building automation systems (BAS) connect all functions within the building, from electricity and heating to fire and security, and are managed from a single control center. When BAS’s security is compromised, all processes in that organization, including those related to information security, are at risk.
Kaspersky ICS CERT experts detect such attacks against organizations in the industrial and telecommunications sector in Pakistan, Afghanistan and Malaysia. The attacks have a unique set of tactics, techniques, and procedures (TTP), reinforcing the suspicion that the same Chinese-speaking threat actor was behind the attacks. It is noted that the threat actor especially uses the building automation systems of the infrastructures of the companies as an infiltration point. This is unusual for APT groups. By taking control of these systems, the attacker can reach more sensitive points of the attacked organization.
As the research shows, the ShadowPad backdoor is the main tool of the APT group. The company witnesses this malware being used by various Chinese-speaking APT actors. During observed attacks, the ShadowPad backdoor is downloaded to the attacked computers under the guise of legitimate software. In most cases, the attacking group exploits a known vulnerability in MS Exchange And enters commands manually. This indicates that the attacks are highly targeted.
Kirill Kruglov, the company’s ICS CERT Security Specialist, says: “Building automation systems are rare targets for advanced threat actors. However, these systems can act as a backdoor to highly confidential information and provide attackers with access to other, more secure infrastructure areas. Because such attacks develop extremely quickly, they should be detected and prevented in their very early stages. Therefore, our recommendation is to constantly monitor the systems mentioned, especially in the critical sectors that are targeted.”
To protect your OT computers from various threats, experts recommend:
· Regularly update operating systems and application software that are part of the business network. Apply security fixes and patches to OT network equipment as they become available.
· Perform regular security audits of OT systems to identify and eliminate potential security vulnerabilities.
· Use OT network traffic monitoring, analysis and detection solutions for better protection against attacks that potentially threaten OT systems and key enterprise assets.
· Provide tailored OT security training for IT security teams and OT engineers. This is crucial for improving the response to new and advanced malicious techniques.
· Provide up-to-date threat intelligence to the security team responsible for the protection of industrial control systems.
· Use security solutions for OT endpoints and networks to provide comprehensive protection for all critical systems.
· Protect your IT infrastructure.