Authorities warn of Chinese 'BlackTech' hackers

Group installs custom malware on routers to compromise firms

Authorities warn of Chinese 'BlackTech' hackers

Cybersecurity agencies in the USA and Japan have warned multinational companies about a China-linked hacker group known as BlackTech.

The joint advisory, issued by the US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, FBI and Japanese law enforcement, encouraged firms to assess the security of their subsidiaries' internet routers to mitigate the threat.

The authoring agencies said Chinese hackers are implanting malware into routers, creating covert backdoor access to the networks of multinational firms based in the United States and Japan.

"BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers' domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets," the statement said.

BlackTech, aka Palmerworm, Circuit Panda, Radio Panda and Temp.Overboard, has been actively involved in cyberattacks against government entities and technology companies in the US and East Asia since approximately 2010.

The group uses custom-designed malware, dual-use tools, and "living off the land" tactics to conceal its activities.

BlackTech is "somehow" acquiring administrator credentials for network devices employed by firms' subsidiaries, leveraging this control to install malicious firmware. The firmware can then be activated using "magic packets" to execute specific tasks.

"Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network."

Although the group has targeted various router brands, the agencies have noted multiple instances of BlackTech focusing on Cisco routers.

In those instances, threat actors managed to replace the firmware with malicious tools, granting them elevated privileges inside the network.

In some case, the hackers exploited a Cisco automation tool to erase any evidence of their activities automatically.

In its own advisory, Cisco said the threat actors are compromising the devices by obtaining administrator credentials. There is no evidence to suggest they are exploiting vulnerabilities.

Cisco further noted that the hackers' ability to install malware is limited to its older products.

"Modern Cisco devices include secure boot capabilities, which do not allow the loading and executing of modified software images," the company said.

The joint advisory encouraged administrators to implement various measures aimed at detecting infections and minimising the risk of potential attacks.

It also emphasised that certain traditional detection methods, like inspecting firmware for cryptographic signatures, may not be effective in this context.