Over the weekend, new reports revealed that an organized hacking group affiliated with the Chinese government is tampering with routers in attacks on various organizations and cybersecurity agencies in the United States and Japan.
According to the FBI, National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC), the activity has been attributed to a group called BlackTech, which has engaged in attacks since 2010.
The agencies said the group was modifying router firmware to conceal its activity targeting companies based in the U.S. and Japan.
“After gaining access to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks,” the agencies said.
The group has multiple names, including Palmerworm, Circuit Panda, and Radio Panda, and has targeted government organizations and companies in the industrial, technology, media, electronics, and telecommunication sectors.
“BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks. Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.”
Eric Goldstein, executive assistant director for cybersecurity at CISA, told The Record that the advisory team on BlackTech is trying to push organizations to stop the outlined risks and to contact law enforcement of any attacks.
“With our U.S. and international partners, CISA continues to call urgent attention to China’s sophisticated and aggressive global cyber operations to gain persistent access and, in the case of BlackTech actors, steal intellectual property and sensitive data,” Goldstein said to The Record. “BlackTech activity targets a wide range of public organizations and private industries across the U.S. and East Asia.”
BlackTech’s custom malware and efforts to cover up its tracks include disabling logging capabilities on routers so investigators cannot track their actions.
The group has continuously updated its evasion tools using stolen code-signing certificates, which allow it to make malicious software look legitimate.
According to the organization’s advisory, it has become an expert at mixing its actions with the normal operations of a network, allowing it to evade endpoint detection services and other security tools.
BlackTech specifically targets smaller appliances used at more remote branch offices to connect to a corporate headquarters, also known as “branch routers.”
The explosive tools allow the group access to more central networks and mix in with typical corporate network traffic.
With the group exploiting several brands of routers, the agencies said they have seen multiple Cisco versions targeted with custom malware, including BendyBear, Bifrose, BTSDoor, FakeDead, Flagpro, FrontShell, IconDown PLEAD, SpiderPig, SpiderSpring, SpiderStack, and WaterBear.
They have been able to replace the firmware of some Cisco routers with malicious tools that allow them elevated privileges in the network. In some cases, the hackers could abuse a Cisco tool to automate tasks that allowed them to remove their activities. The agencies provide a lengthy list of actions companies can take to protect themselves.
The advisory came following reports from cybersecurity firms about the activities of China-based hackers. Volexity, a technology firm focusing on threat intelligence, said it found a five-year campaign by hackers referred to as EvilBamboo targeting Tibetan, Uyghur, and Taiwanese individuals and organizations.
Palo Alto Networks also found an espionage campaign targeting a government in Southeast Asia.
The Record’s parent company, Recorded Future, released a report on a multi-year campaign by Chinese actors against South Korean organizations. In response to the report, China’s Ministry of State Security stated that the NSA engaged in an attack against Northwestern Polytechnical University and has long targeted Chinese organizations.
“The United States is trying its best to portray itself as a ‘cyberattack victim,’ inciting and coercing other countries to join the so-called ‘clean network’ program under the banner of ‘maintaining network security,’ in an attempt to eliminate Chinese companies from the international network market,” the Chinese minister said on a Chinese social media site.
“At present, cyberspace has increasingly become a new battlefield for safeguarding national security,” he added.