A China-linked state-sponsored hacker group has been modifying router firmware to install custom backdoors to gain access to corporate networks in the United States and Japan, a new security advisory from the US and Japanese intelligence services and law enforcement agencies warns.
Known as “BlackTech” (Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda), the group has been targeting government, industrial, technology, media, electronics, and telecommunication sectors since 2010. The threat actor leverages custom, regularly updated malware and remote access trojans (BendyBear, FakeDead, and FlagPro), dual-use tools, and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations.
According to the agencies, in some cases, the custom malware was signed using stolen code-signing certificates to evade detection.
The group is known to backdoor network devices using stolen credentials to gain initial access to networks, establish persistence and steal data by redirecting traffic to the attacker-controlled server.
“In some cases, BlackTech actors replace the firmware for certain Cisco IOS-based routers with malicious firmware…The modified firmware uses a built-in SSH backdoor, allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged. BlackTech actors bypass the router's built-in security features by first installing older legitimate firmware that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware,” the advisory explained.
The threat actor uses the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network.
The advisory also provides a list of measures that organizations can implement to minimize the risk of attacks.
Following the report, Cisco released its own advisory noting that the most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. The networking giant also noted that there’s no indication that any Cisco vulnerabilities were exploited and that the stolen certificates mentioned in the report are not from the company.
“Cisco does not have any knowledge of code-signing certificates being stolen to perform any attack against Cisco infrastructure devices,” the company said.