Chinese-Speaking Threat Actors Target ICS

Industries: Logistics, Industrial, Telecommunications, Transportation | Level: Tactical| Source: Kaspersky

Kaspersky ICS CERT researchers report of threat activity beginning as early as March 2021, targeting logistics, transportation, telecommunication, and industrial sectors in Malaysia, Pakistan, and Afghanistan. The threat campaign was first discovered by researchers in mid-October 2021, who "discovered an active ShadowPad backdoor that affected a number of industrial control systems in Pakistan, specifically engineering computers in building automation systems that are part of a telecom company’s infrastructure." Attackers from the campaign were able to gain initial access by exploiting the Microsoft Exchange vulnerability CVE-2021-26855, associated with ProxyLogon. Additional tactics, techniques, and procedures utilized by the threat actors included deploying cobalt strike, using certutil to download files, web shells, credential access with procdump, mimikatz, and BAT script files. During post-exploitation, attackers gather network information using CMD and collect data of interest into an archived file. Additionally, persistence was created from the attackers having scripted the data collection and scheduled it to run daily. Activity from these campaigns is being attributed to a Chinese-speaking group of attackers with potential ties to HAFNIUM.

Anvilogic Scenario:

• Post-Exploitation with ShadowPad Malware

Anvilogic Use Cases:

• Output to File
• Cobalt Strike Beacon
• Certutil File Download
• ProcDump Credential Harvest
• Mimikatz