Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Chinese Hackers Target Building Management Systems

Threat hunters at Kaspersky have uncovered a series of attacks that targeted organizations across telecoms, transportation, and industrial sectors with the ShadowPad backdoor.

The campaign hit the manufacturing and telecoms industries in Afghanistan and Pakistan, and a logistics and transport organization (a port) in Malaysia.

Threat hunters at Kaspersky have uncovered a series of attacks that targeted organizations across telecoms, transportation, and industrial sectors with the ShadowPad backdoor.

The campaign hit the manufacturing and telecoms industries in Afghanistan and Pakistan, and a logistics and transport organization (a port) in Malaysia.

Kaspersky initially identified the ShadowPad backdoor on industrial control systems (ICS) at a telecoms company in Pakistan, where the attackers targeted engineering computers in building automation systems. The investigation uncovered wide activity on the network, along with additional victim organizations in Pakistan, Afghanistan and Malaysia.

The attack stood out because it’s not common for threat actors to target building automation systems and use them as the point of infiltration. From these devices the attackers can move to more valuable systems.

“Building automation systems are rare targets for advanced threat actors,” said Kirill Kruglov, security expert at Kaspersky ICS CERT. “However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures.”

Learn More About Protecting Smart Buildings at SecurityWeek’s 2022 ICS Cybersecurity Conference 

Between March and October 2021, the ShadowPad backdoor was deployed on the victim networks along with tools such as the Cobalt Strike framework, Mimikatz, the PlugX backdoor, credential stealers, web shells, and the Nextnet network scanning utility.

Advertisement. Scroll to continue reading.

According to Kaspersky, the unique set of tactics, techniques, and procedures (TTPs) used in these attacks suggest that a single Chinese-speaking threat actor was likely behind them. The purpose of the campaign appears to be data harvesting, but the security researchers are not certain.

An exploit for a vulnerability in Microsoft Exchange (CVE-2021-26855) was leveraged for initial access in at least some of the attacks. Multiple threat actors started exploiting the vulnerability immediately after it was reported publicly in March 2021.

On the compromised systems, the ShadowPad backdoor was deployed as mscoree.dll and was executed by the legitimate application AppLaunch.exe, which was placed in the same folder with ShadowPad. The attackers created a scheduled task to run AppLaunch.exe.

In October 2021, the attacker switched to a new version of the malware and a new execution scheme, relying on DLL hijacking instead. Kaspersky’s researchers identified a total of 25 unique modifications.

On some computers within the target organizations, the researchers also identified commands that had been executed remotely via the command line interface. Initially, the attackers executed the commands manually, but then switched to deploying scripts that contained the same sequence of commands.

The attackers used these commands to collect information about the users on the compromised machines, collect network connection details, copy files from the desktop to the Recycle Bin folder, check available internet services, mount a network drive, save a registry key containing NTLM hashes to disk, launch Mimikaz, archive harvested files, and to scan hosts on the network.

The threat actor stole domain authentication credentials from at least one account at each of the targeted organizations, and used these credentials to move laterally on the network. Kaspersky also discovered that the attackers used command and control (C&C) domains hosted on rented dedicated Choopa servers.

“We believe with a high degree of confidence that a Chinese-speaking threat actor is behind the activity described in this report. There are some minor references to HAFNUIM, a Chinese-speaking threat actor, but they are not sufficient to speak of HAFNUM’s involvement […] with a high degree of confidence,” Kaspersky notes.

Related: Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage

Related: Chinese Hackers Abuse Cybersecurity Products for Malware Execution

Related: Chinese Hackers Target Hong Kong Universities With New Backdoor Variant

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.