← Back

CICADA_V (3301) targets a Niagara AX BMS in Louisiana and brings legacy system exposure back into focus

Leer en Español
Print Share

Executive Summary

CICADA_V (3301) published a message in Russian claiming to have obtained read-only access to a Niagara AX BMS associated with a target identified as Sheriff’s Pension Fund, in Baton Rouge, Louisiana, United States.

The actor states that the system controls heating, ventilation and air-conditioning components, including rooftop AHU units, multiple VAV units, a chilled water plant, alarms and audit logs. It also mentions the existence of a superadmin user named lacontrols, active until March 2025, and lists historical vulnerabilities associated with Niagara AX.

The publication does not demonstrate effective operational control or confirm the ability to manipulate the physical environment. The actor itself acknowledges that the current status would be read-only and that full control has not yet been achieved. However, this indicator is relevant because it combines legacy BMS exposure, references to old vulnerabilities, a U.S. target and a narrative of progressive access toward “full control”.

Key Judgments

  • CICADA_V (3301) claimed read-only access to a Niagara AX BMS in Louisiana.
  • The vulnerabilities cited by the actor correspond to known historical weaknesses in Niagara AX, which adds technical plausibility to the narrative but does not validate the declared access.
  • The most relevant aspect of the indicator lies in legacy BMS/OT environments and the possible unauthorized access to building automation systems.

What Happened

CICADA_V (3301) disseminated a publication in Russian claiming to have entered a Niagara AX BMS associated with Sheriff’s Pension Fund, in Baton Rouge, Louisiana.

The actor identifies the IP address 70.169.87.138 and describes the environment as a smart-building installation responsible for heating, ventilation and air conditioning. According to the message, the system would include two rooftop AHU units, forty-four VAV units distributed across the building, a chilled water plant, alarms and audit logs with more than 6,000 events.

The publication states that access was obtained and that a password was reset. At the same time, the actor presents the status as read-only and claims that full control remains pending due to a barrier attributed to SonicWall.

The message also lists historical vulnerabilities associated with Niagara AX, including directory traversal, exposure of passwords in configuration files, credentials in Base64-encoded cookies and abuse of guest functionality with potential remote code execution.

Operational Assessment

iQBlack assesses this information as a BMS access announcement under validation, as the actor provides technical details that are consistent with a legacy Niagara AX environment and with real vulnerabilities documented since 2012. NVD describes CVE-2012-4027 as a directory traversal flaw in Niagara AX Framework that can allow files to be read outside intended paths, including config.bog. NVD also describes CVE-2012-4701 as a directory traversal vulnerability in Niagara AX 3.5, 3.6 and 3.7 that can allow sensitive files to be read and, under certain conditions, code execution. Tenable, for its part, summarizes multiple historical vulnerabilities in Tridium Niagara AX, including credential exposure and session issues.

That technical framework makes the narrative plausible, but it is not sufficient to confirm real access to the indicated system. The presence of known vulnerabilities does not demonstrate effective exploitation, and the mention of HVAC components does not allow the conclusion that the actor has manipulation capability.

The distinction between read-only access and full control is important. The actor itself acknowledges that it would not yet have achieved full operational control. That admission reduces the value of an alarmist reading, but increases the monitoring interest because it may point to a reconnaissance phase, initial persistence or preparation for escalation.

The reference to SonicWall as an obstacle also suggests that the actor is attempting to present a narrative of partial intrusion with a perimeter barrier still to be bypassed. At this stage, it cannot be determined whether that barrier actually exists or whether the actor is only observing the system from a limited interface.

Intelligence Significance

The publication is relevant because it once again exposes the symbolic and operational value of legacy BMS systems.

Niagara AX and other building automation systems can remain active for years with old configurations, exposed interfaces, weak credentials or legacy dependencies. Even when an actor does not achieve full control, the display of access to HVAC, alarms, logs or chilled water plants can generate reputational impact, institutional concern and a perception of physical risk.

For threat actors, BMS systems offer an attractive surface because they are technically specific, visually communicable and difficult to explain publicly without generating concern. The mere assertion of access can be used as a pressure tool.

In this case, the immediate risk should remain under assessment because, so far, there is not enough evidence to assert manipulation or real physical impact. However, for iQBlack’s CTI team, the combination of a U.S. target, legacy BMS, historical vulnerabilities and a promise of escalation justifies continued monitoring.

Analytical Closing

CICADA_V (3301) claims to have obtained read-only access to a Niagara AX system associated with Sheriff’s Pension Fund in Baton Rouge, Louisiana. The publication combines plausible technical details, references to historical vulnerabilities and a narrative of progression toward full control.

Until independent evidence becomes available, iQBlack assesses the case as a preliminary indicator of BMS/OT exposure.

Explore 3C-INT

Expand actor, campaign and operational-link tracking through a structured intelligence layer.

View module More articles

Get new publications

Subscribe to receive new articles and public updates from iQBlack without unnecessary noise.

iQBlack | Threat Intelligence & Threat Research . © Copyright 2026. All Rights Reserved