A threat actor hacked inside the building automation systems of several Asian organizations by exploiting the Proxylogon flaw in Microsoft Exchange. After putting a backdoor into their networks, the attackers were further observed gaining access to more secured areas in networks.

Abusing Proxylogon

Researchers from Kaspersky spotted the APT group focused on devices unpatched against CVE-2021-26855, or the popular Microsoft Exchange ProxyLogon.
  • Usually, building automation systems are rare targets among APT groups. 
  • However, those systems may have highly confidential information and could be propagated to infect other areas of the infrastructure, such as information security systems.
  • The attackers have lots of potential victims to target, as the Dutch Institute for Vulnerability Disclosure has reported around 46,000 unpatched servers against the ProxyLogon flaw last year.

More insights

The attacks started in March 2021 and were collectively coordinated by the Chinese group starting mid-October. Researchers spotted the use of ShadowPad, a backdoor used by multiple other Chinese actors.
  • The backdoor pretended to be legitimate software and was spotted on industrial control systems of a telecommunications firm located in Pakistan.
  • In that campaign, the attackers deployed other malware and tools, such as Cobalt Strike, scripts for credential theft, PlugX, web shells, and an open-source nextnet network scanner.
  • The researchers also linked the attack campaign with another Chinese APT group tracked as Hafnium, which is infamous for using Exchange ProxyLogon exploits in their attacks.


Chinese-speaking threat actors are hunting for sensitive or highly valuable information. Experts claim that the APT group will attack again and try to find new victims. Therefore, encrypting sensitive information and implementing proper access control to protect the data should be made the priority to remain unaffected from such attacks.
Cyware Publisher