In my previous post Wireshark: BACnet security analysis, I explained how to filter out Bacnet packets in Wireshark and I mentioned how to discover protocol-internet-connected machines in Shodan. Few days ago we heard about the “ShadowPad” backdoor and its attack on a telecommunications company in Pakistan. The attackers exploited a vulnerability CVE-2021-26855 in Microsoft Exchange to get an initial access. The attack affected engineering computers which are part of building automation systems in the Pakistani company .
My observation is the attack happened last year on October 2021. Why so late to disclose it? Also there aren’t any details about OT devices or protocols , except mentioning “ICS” and “building automation systems” ! So i have the following guesses or questions ?
- Did the attackers find this company from Shodan ? Most building automation systems that appear in Shodan are connected through telecommunications companies.
- Was Bacnet protocol available in the company systems ? If yes did the attackers manage to exploit its weaknesses ? or did they just abuse the IT systems (MS windows) to conduct the attacks ?
My point is we don’t have enough details about OT systems that were affected except the engineering computers. To me this seems like an IT attack . Furthermore, there weren’t any physical impact and the attackers’ goal was speculated to be data harvesting (See source 1)
References: