A Chinese-speaking threat actor has hacked into the building automation systems (used to control HVAC, fire, and security functions) of several Asian organizations to backdoor their networks and gain access to more secured areas in their networks. The APT group, whose activity was spotted by Kaspersky ICS CERT researchers, focused on devices unpatched against CVE-2021-26855, one of the Microsoft Exchange vulnerabilities collectively known as ProxyLogon.
The threat actors had a considerable number of potential victims to target, seeing that the Dutch Institute for Vulnerability Disclosure (DIVD) found 46,000 servers unpatched against the ProxyLogon flaws one week after Microsoft patched them.
Last year, Slovakian internet security firm ESET said that at least ten hacking groups were using ProxyLogon exploits in March 2021, while in-the-wild exploitation began on January 3, way before Microsoft released patches on March 2.
After breaching engineering computers within their targets’ building automation system, the Chinese attackers could compromise other parts of the victims’ infrastructure, including but not limited to their information security systems.
“Building automation systems are rare targets for advanced threat actors,” said Kaspersky ICS CERT security expert Kirill Kruglov.
“However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures.”
While analyzing the attacks, the researchers also found links to another Chinese APT group, tracked by Microsoft as Hafnium, known to have also used Exchange ProxyLogon exploits.
Hunt for confidential information
The attacks began in March 2021 and were first spotted and collectively tracked as being coordinated by the same group starting in mid-October 2021 after discovering a ShadowPad backdoor (used by multiple other Chinese-speaking APT actors).
The backdoor, camouflaged as legitimate software, was found on the industrial control systems of a telecommunications firm in Pakistan.
Throughout this campaign, the threat actors also deployed other malware and tools, including the CobaltStrike framework, the PlugX backdoor, web shells, scripts for credential theft, and the open-source nextnet network scanner.
The group’s end goal is unknown, but Kaspersky ICS CERT researchers believe the attackers were most likely hunting for sensitive information.
“We strongly believe that those systems themselves could be a valuable source of highly confidential information. Additionally, we believe there is a chance that they also provide attackers with a backdoor to other, more strictly secured, infrastructure,” the report reads.
“We believe that it is highly likely that this threat actor will strike again and we will find new victims in different countries.”
Additional information, including indicators of compromise and technical details, are available in Kaspersky ICS CERT’s report.