US and Japanese Authorities Sound Alarm on China’s ‘BlackTech’ Cyber Espionage Group

Reading Time: ( Word Count: )

September 28, 2023

In a collaborative effort, US and Japanese law enforcement and cybersecurity entities have jointly raised an alert regarding the cyber activities of the ‘BlackTech’ hacking group, believed to be supported by the Chinese government. According to a report by the FBI, NSA, CISA, along with Japan’s NISC and NPA, this group has been infiltrating network devices to insert tailored backdoors. This maneuver allows them to access global companies’ primary networks through their international subsidiaries.

BlackTech, also recognized by names like Palmerworm, Circuit Panda, and Radio Panda, is an Advanced Persistent Threat (APT) group with suspected ties to China. Since 2010, this group has been implicated in cyber espionage activities against organizations in Japan, Taiwan, and Hong Kong. Their targets primarily span government, defense, media, telecommunications, electronics, industrial sectors, and technology.

The alert sheds light on BlackTech’s preference for custom malware, which they routinely update. This malware is utilized to implant backdoors into network devices, establish a persistent presence, gain initial network access, and divert data traffic to servers under their control.

What’s alarming is the use of stolen code-signing certificates to sign the malware, making detection by security systems increasingly challenging. The hackers, armed with pilfered administrator credentials, can exploit an extensive array of router types. Once in, they make firmware alterations to remain undetected and spread within the network.

Also Read: New GPU Attack on the Horizon: A Deep Dive into Vulnerability

US and Japanese Authorities Sound Alarm on China's 'BlackTech' Cyber Espionage Group

The report detailed the strategy, saying: “After entering the target network and seizing control of its edge devices, BlackTech hackers modify the firmware to conceal their traces. They then pivot, exploiting the trust established by branch routers with the main corporate network. Compromised routers on the public face are used as conduits for directing traffic, blending into genuine corporate traffic and accessing other potential victims on the same network.”

Among their toolkit, attackers have the capability to hide executed commands, modify firmware, deactivate device logs during their illicit operations, and even use crafty methods like sending particular TCP or UDP packets to devices, specifically Cisco routers, to stealthily enable SSH backdoors.

Research indicated that they even modify the memory of certain devices to get past signature verification. Such sophisticated methods underscore their goal: untraceable and unrestricted device access.

Administrators are advised to remain vigilant against unexpected firmware downloads and device reboots. Unexpected SSH traffic on routers should raise alarms.

Cisco, in its advisory, clarified that BlackTech doesn’t seem to exploit any vulnerabilities in its products or use any stolen certificates for malware signing. Additionally, methods that involve downgrading firmware for security circumvention are relevant only for older products.

Network administrators are urged to remain updated with patches and maintain a strict policy against public exposure of management interfaces.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *