In a collaborative effort, US and Japanese law enforcement and cybersecurity entities have jointly raised an alert regarding the cyber activities of the ‘BlackTech’ hacking group, believed to be supported by the Chinese government. According to a report by the FBI, NSA, CISA, along with Japan’s NISC and NPA, this group has been infiltrating network devices to insert tailored backdoors. This maneuver allows them to access global companies’ primary networks through their international subsidiaries.
BlackTech, also recognized by names like Palmerworm, Circuit Panda, and Radio Panda, is an Advanced Persistent Threat (APT) group with suspected ties to China. Since 2010, this group has been implicated in cyber espionage activities against organizations in Japan, Taiwan, and Hong Kong. Their targets primarily span government, defense, media, telecommunications, electronics, industrial sectors, and technology.
The alert sheds light on BlackTech’s preference for custom malware, which they routinely update. This malware is utilized to implant backdoors into network devices, establish a persistent presence, gain initial network access, and divert data traffic to servers under their control.
What’s alarming is the use of stolen code-signing certificates to sign the malware, making detection by security systems increasingly challenging. The hackers, armed with pilfered administrator credentials, can exploit an extensive array of router types. Once in, they make firmware alterations to remain undetected and spread within the network.
The report detailed the strategy, saying: “After entering the target network and seizing control of its edge devices, BlackTech hackers modify the firmware to conceal their traces. They then pivot, exploiting the trust established by branch routers with the main corporate network. Compromised routers on the public face are used as conduits for directing traffic, blending into genuine corporate traffic and accessing other potential victims on the same network.”
Among their toolkit, attackers have the capability to hide executed commands, modify firmware, deactivate device logs during their illicit operations, and even use crafty methods like sending particular TCP or UDP packets to devices, specifically Cisco routers, to stealthily enable SSH backdoors.
Research indicated that they even modify the memory of certain devices to get past signature verification. Such sophisticated methods underscore their goal: untraceable and unrestricted device access.
Administrators are advised to remain vigilant against unexpected firmware downloads and device reboots. Unexpected SSH traffic on routers should raise alarms.
Cisco, in its advisory, clarified that BlackTech doesn’t seem to exploit any vulnerabilities in its products or use any stolen certificates for malware signing. Additionally, methods that involve downgrading firmware for security circumvention are relevant only for older products.
Network administrators are urged to remain updated with patches and maintain a strict policy against public exposure of management interfaces.