The Lifting Zmiy hacker group from Eastern Europe has been behind a series of cyber attacks targeting Russian companies. According to a report by RBC, the attacks were carried out by using servers that manage elevators in building entrances as entry points. The report cited information from the Center for Research of Cyberrose SOLAR 4RAS “Solar”.
The attackers compromised controllers, which are part of the SCADA systems, and installed servers on them to carry out attacks for other purposes. Specifically, the controllers hacked belonged to “Tekon Automatics”, a company that supplies solutions for elevator systems. The group derived its name from the specialized control and dispatch systems developed by Tekon Automatics, which are used in elevator construction. Among the targets of these attacks were state institutions, IT firms, telecom companies, and others.
In their operations, the hackers utilized the infrastructure of Starlink, SpaceX’s satellite internet service by Elon Musk. “Solar” representatives clarified that the attacks did not directly affect the functioning of the elevators themselves. However, the vulnerabilities exploited could have potentially allowed the hackers to take control of the equipment.
Experts believe that the primary objective of the hackers was not to disrupt the operation of elevators, but rather to mask their activities. By placing control servers on the elevator equipment’s controllers, they aimed to make it harder to detect their operations.
Reports indicate that the method of hacking Tekon Automatic controllers was disclosed in 2022. This method involved gaining unauthorized access and installing a specialized plugin to establish control, such as connecting to dispatchers through various sensors. The manufacturer responded by removing default login credentials from their website. However, the hackers had already set up their management servers on compromised devices post-security update. This indicates either negligence by some users in updating security settings or the hackers successfully guessing new passwords via the Sprinking method.