Skip to content

Chinese hackers are attacking Asian building automation systems

  • by
  • 2 min read

Chinese APT group Hafnium has hacked several Asian organisations’ building automation systems. First spotted by Kaspersky ICS CERT researchers, the group was exploiting the CVE-2021-26855 vulnerability in Microsoft Exchange servers.

These automation systems control systems like HVAC, fire and security functions of a building. Once compromised, these systems can allow attackers to access more secured areas in the networks and even make a network backdoor. 

The attacks started far back in March 2021. However, they could only be attributed to one APT group and tracked collectively since October 2021 after a ShadowPad backdoor was discovered disguised as a legitimate software on the industrial control systems of a Pakistani telecommunications company. The infected systems here included engineering computers in building automation systems.  

Since then, in addition to hacking automation systems, the attackers have deployed other common malware and tools, including CobaltStrike beacons, the PlugX backdoor, web shells, credential theft scripts and the nextnet network scanner. 

The researchers also found links to yet another Chinese APT group, tracked by Microsoft as Hafnium. Hafnium is also known to exploit ProxyLogon vulnerabilities in the past. 

The group’s intentions or motivations behind the attack are unknown at the moment. However, Kaspersky ICS CERT researchers believe that the attackers only sought to extract sensitive information. The researchers also believe that we might see attackers repeating targets and new targets pop up in more countries. 

The vulnerability being exploited is a part of a bigger group of vulnerabilities in Microsoft Exchange servers known as ProxyLogon. Microsoft issued a patch in March, but exploits were already spotted as early as January. Cybersecurity firm ESET reported that at least 10 APT groups were actively exploiting the flaw in March.

A week after Microsoft’s patch, the Dutch Institute for Vulnerability Disclosure (DIVD) found 46,000 unpatched servers against the ProxyLogon flaws. 

In the News: Used car marketplace, Ola Cars, shuts down

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: