China continues cyberattacks on routers, this time targeting Juniper Networks devices

An espionage group operating out of China is targeting routers made by Juniper Networks, according to incident responders from Mandiant.

The researchers said the state-backed group — dubbed UNC3886 — was behind a campaign last year to deploy custom backdoors on the company’s Junos OS routers. The group appears to be “focused mainly on defense, technology, and telecommunication organizations located in the US and Asia,” they said.

The Google-owned cybersecurity firm said it worked with Juniper Networks to investigate the activity and found that the affected routers were running end-of-life hardware and software. The malware deployed on the Juniper routers “demonstrates that UNC3886 has in-depth knowledge of advanced system internals,” they said. 

The company previously tracked UNC3886’s efforts in 2023 to exploit vulnerabilities in Fortinet and VMware network security systems and firewalls. 

The incident responders found that the goal in both campaigns was the same — to “gather and use legitimate credentials to move laterally within a network, undetected.” They assess the threat actor is preeminently focused on maintaining long-term access to victim networks. 

“UNC3886 continues to show a deep understanding of the underlying technology of the appliances being targeted,” the company said, adding that they did not identify technical overlaps with the nation-state groups Volt Typhoon or Salt Typhoon. 

Austin Larsen, principal threat analyst with Google Threat Intelligence Group, said the campaign stood out “due to the novel and sophisticated custom malware specifically targeting Juniper routers.” 

The tactics demonstrated that the group is “well-resourced and highly skilled to study/learn different devices to create different malware variants for them and bypass built-in protections.”

Custom backdoors

The investigators observed six custom-made versions of the Tinyshell backdoor operating on Juniper Networks’ Junos OS routers. 

Larsen explained that the attackers tailored the malware for Junos OS including several features not previously seen in other campaigns against other edge devices.

The researchers have been tracking similar custom malware ecosystems since 2022 and noted the attackers have “historically targeted network devices and virtualization technologies with zero-day exploits.” 

The group’s tactics indicate they are prioritizing stealth in operations and are seeking long-term persistence while minimizing the risk of detection. 

The hackers are also expanding their targeting beyond network edge devices to internal networking infrastructure like Internet Service Provider (ISP) routers. 

More broadly, the compromise of routing devices “is a recent trend in the tactics of espionage-motivated adversaries as it grants the capability for a long-term, high-level access to the crucial routing infrastructure, with a potential for more disruptive actions in the future.” 

Mandiant suggested any organizations running Juniper MX routers with end-of-life hardware and software upgrade their devices. 

Devices from Juniper Networks were previously targeted by a variant of the Mirai malware.