The United States and Japan have jointly issued warnings regarding the infiltration of Cisco routers by Chinese hackers, specifically identifying the group as ‘BlackTech‘. This group, also known by aliases such as Palmerworm, Circuit Panda, and Radio Panda, has been recognized as a state-sponsored Advanced Persistent Threat (APT) group. BlackTech has a history of conducting cyber espionage attacks on entities based in Japan, Taiwan, and Hong Kong since at least 2010. The sectors targeted by BlackTech include government, industrial, technology, media, electronics, telecommunications, and defense.
Detailed Modus Operandi
The joint report from agencies including the FBI, NSA, CISA, and Japanese NISC and NPA, reveals the detailed methods employed by BlackTech. The hackers utilize custom, regularly updated malware to install backdoors in network devices, enabling them to gain initial access to networks and redirect traffic to attacker-controlled servers. The malware is sometimes signed using stolen code-signing certificates, complicating its detection by security software. By leveraging stolen admin credentials, the attackers compromise a variety of router brands, models, and versions, establishing persistence and moving laterally on the network.
Techniques and Targets
Upon gaining initial foothold and administrator access to network edge devices, BlackTech modifies the firmware to hide their activity and maintain persistence in the network. They specifically target branch routers used at remote branch offices, abusing their trusted relationship within the corporate network. The compromised routers are then used as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network. For Cisco routers, the attackers have been observed enabling and disabling an SSH backdoor using specially crafted TCP or UDP packets, allowing them to evade detection.
Mitigation and Defense Recommendations
The advisory issued provides several mitigation practices and recommendations for system administrators. These include monitoring for unauthorized downloads of bootloader and firmware images, treating SSH traffic observed on the router with high suspicion, and overseeing inbound/outbound traffic on devices. Additionally, administrators are advised to only permit specific IP addresses for network administrators, act promptly to change all passwords and keys when a breach is suspected, and scrutinize logs for anomalies. Utilizing the Network Device Integrity (NDI) Methodology to detect unauthorized alterations and comparing boot records and firmware to trusted versions routinely are also recommended.
Context and Implications
This incident is part of a larger pattern of cybersecurity threats involving state-sponsored actors. The allegations against Chinese hackers highlight the ongoing challenges in international cybersecurity. The targeting of network devices has seen an uptick over the past year, with Chinese-aligned threat actors also targeting Fortinet, TP-Link, and SonicWall network devices with custom malware. Network devices, especially those that do not commonly support EDR (Endpoint Detection and Response) security solutions, are prime targets for data theft and initial access to a network.
