Hacking building automation systems

In my previous post Wireshark: BACnet security analysis, I explained how to filter out Bacnet packets in Wireshark and I mentioned how to discover protocol-internet-connected machines in Shodan. Few days ago we heard about the “ShadowPad” backdoor and its attack on a telecommunications company in Pakistan. The attackers exploited a vulnerability CVE-2021-26855 in Microsoft Exchange to get an initial access. The attack affected engineering computers which are part of building automation systems in the Pakistani company .

My observation is the attack happened last year on October 2021. Why so late to disclose it? Also there aren’t any details about OT devices or protocols , except mentioning “ICS” and “building automation systems” ! So i have the following guesses or questions ?

  • Did the attackers find this company from Shodan ? Most building automation systems that appear in Shodan are connected through telecommunications companies.
  • Was Bacnet protocol available in the company systems ? If yes did the attackers manage to exploit its weaknesses ? or did they just abuse the IT systems (MS windows) to conduct the attacks ?

My point is we don’t have enough details about OT systems that were affected except the engineering computers. To me this seems like an IT attack . Furthermore, there weren’t any physical impact and the attackers’ goal was speculated to be data harvesting (See source 1)

References:

  1. https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/

Comments are closed.