APT Groups Attacking Construction Industry Networks to Steal RDP, SSH and Citrix Logins

The construction industry has emerged as a lucrative target for advanced persistent threat groups and organized cybercriminal networks seeking unauthorized access to corporate systems.

State-sponsored APT groups from China, Russia, Iran, and North Korea are increasingly focusing their operations on the building and construction sector, exploiting the industry’s rapid digital transformation and heavy reliance on third-party vendors.

These threat actors are targeting construction companies to steal login credentials for Remote Desktop Protocol (RDP), Secure Shell (SSH), and Citrix systems, which serve as gateways to sensitive project data, financial records, and proprietary blueprints.

The attacks exploit weak security practices and outdated legacy systems prevalent throughout the construction sector.

Cybercriminals employ phishing emails, compromised credentials, and supply chain vulnerabilities to establish initial footholds within target networks.

The sector’s widespread use of cloud-based project management tools and insufficient employee cybersecurity training create additional opportunities for exploitation.

Once threat actors gain access, they leverage interconnected systems to move laterally across networks and exfiltrate valuable data including contracts, Building Information Modeling (BIM) files, and personal information of employees and clients.

Rapid7 security researchers identified that many threat actors now purchase access to construction company networks through underground forums rather than conducting resource-intensive initial compromise operations themselves.

These dark web marketplaces feature intermediaries and brokers who sell credentials to previously breached networks across all industries, with the construction sector representing a significant portion of available access.

Access types traded include VPN, RDP, SSH, Citrix, SMTP, and FTP credentials, with pricing determined by the target organization’s size and network complexity.

The evolving threat landscape underscores the urgent need for construction companies to implement comprehensive cybersecurity measures.

The complex, collaborative nature of construction projects and the frequent exchange of sensitive documents amplify the risk, making the sector a prime target for corporate espionage, financial gain, and extortion through ransomware campaigns designed to disrupt project timelines.

Dark Web Credential Marketplaces

The underground economy for stolen construction industry credentials has flourished in recent months, with specialized forums facilitating the sale of network access to threat actors worldwide.

Rapid7 researchers observed numerous listings advertising access to construction company networks, with prices varying based on the target’s revenue, geographic location, and the level of access provided.

These marketplaces operate with sophisticated rating systems and escrow services, providing buyers with assurances about the validity of purchased credentials.

Sellers often provide screenshots of active sessions or network diagrams to verify their access, creating a streamlined supply chain that lowers the barrier to entry for cybercriminal operations targeting the construction sector.

This illustrates another example of VPN, RDP, and Cpanel access to construction companies being offered for sale, highlighting the variety of access types available to potential attackers.

The availability of these credentials enables ransomware operators and data extortion groups to quickly scale their operations, bypassing traditional defense mechanisms and exploiting the trust inherent in legitimate remote access tools.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.