TP-Link routers provide entry point for Chinese hackers

Malicious firmware being used to build chain of devices to snoop on European government entities, says Check Point

Malicious firmware is vendor-agnostic, so other routers, not just TP-Link, are at risk of being co-opted into a 'sophisticated' attack

A malicious firmware implant designed to infect TP-Link routers has been discovered by researchers at security vendor Check Point.

The malicious code contains a custom implant which the researchers called "Horse Shell", as well as a passive back door. It has been used by attackers to gain control over compromised devices and access to networks without being detected. The ultimate targets are mostly European political entities, according to Check Point, although their exact identities have not been made public.

Check Point Research attributes the attacks to a Chinese state-sponsored Advanced Persistent Threat (APT) group, which it calls "Camaro Dragon." The group seems to be closely related to another APT known as Mustang Panda.

Activities of Mustang Panda and related groups against NGOs and government entities have been reported since 2017, and Check Point Research says it has observed it carrying out "sophisticated attacks targeting officials in multiple European countries", since the start of this year.

The mode of infection in this case is not clear, but Check Point researchers say in a blog post that "router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control."

This particular attack seems to be aimed at home routers rather than the ultimate goal, suggesting the attackers are building up a chain of devices to aid their mission.

It is likely that the attackers gain control over infected routers through a combination of known vulnerabilities and weak authentication.

The malware is designed to be vendor-agnostic, according to the researchers, meaning it could be used to infect routers made by other manufacturers, not just TP-Link devices.

This finding emphasises the need for organisations and domestic users to strengthen the security of their network devices, updating firmware, changing default credentials to strong passwords and using multi-factor authentication (MFA).

New regulations in the US and in Europe require vendors to bolster their products to protect against supply chain attacks.

"Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack," commented Thierry Breton, EU commissioner for the internal market, last year.