China-linked threat actor BlackTech infiltrated the corporate networks of multinational U.S. and Japanese businesses through elaborate attacks that included modifying router firmware at victim organizations’ overseas branch offices.
By penetrating edge devices in subsidiary offices, the advanced persistent threat (APT) group was able to pivot from target businesses’ smaller, often less secure, routers into their headquarter networks.
Details of BlackTech’s activities were outlined in a joint Sept. 27 advisory from the U.S. National Security Agency (NSA), the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC).
In the advisory, the agencies said BlackTech used the attacks to deploy backdoor malware. They urged multinational organizations to review all network connections with their subsidiary offices and listed a range of security measures they should take to mitigate the APT gang’s potential risk.
“BlackTech actors have compromised several Cisco routers using variations of a customized firmware backdoor. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets,” the agencies said.
“In some cases, BlackTech actors replace the firmware for certain Cisco IOS-based routers with malicious firmware. Although BlackTech actors already had elevated privileges on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access and obfuscate future malicious activity.”
According to the advisory, the techniques used by the group, which has been active since 2010, were not limited to Cisco routers, and could be applied to other network equipment.
“The group's tactic of hacking into network edge devices and implanting malicious firmware illustrates a high level of technical proficiency and a focus on maintaining long-term, stealthy access within targeted networks,” said Callie Guenther, cyber threat research senior manager at Critical Start.
“By modifying router firmware, particularly on Cisco routers, the group ensures persistence and the ability to maneuver undetected across corporate networks.”
Stolen or weak administrative credentials likely used for access
In a response to the advisory, Cisco said the most common way the BlackTech gang gained initial access in the attacks was by using stolen or weak administrative credentials.
“There is no indication that any Cisco vulnerabilities were exploited. Attackers used compromised credentials to perform administrative-level configuration and software changes,” the company said.
The agencies said the threat actors used stolen code-signing certificates to sign the malicious payloads they dropped in the attacks, but Cisco said it was not aware of any of its certificates being stolen to perform attacks against its equipment.
John Gallagher, vice president of Viakoo Labs, said routers and other Internet of Things (IoT) devices were a popular means of access for threat groups because they tended to fall outside the direct management of IT departments and had inherently poor security.
The lack of secure firmware distribution was also a widespread security issue with edge, IoT and operational technology devices, he said.
“Many firmware packages are not digitally signed and, even worse, are often downloaded through using a search engine that may provide links to compromised firmware. Before deploying new firmware onto IoT devices it should first go through testing in order to create a secure chain-of-trust in using that firmware.”
Guenther said given the potentially vulnerable nature of the edge devices BlackTech was targeting, organizations that could be in the threat group’s sites needed to exercise heightened vigilance.
“Enhancing monitoring practices, regularly updating and patching systems, and conducting thorough security assessments of network configurations are crucial steps in mitigating the risks posed by such sophisticated threats,” she said.
