US, Japan say ‘BlackTech’ Chinese gov’t hackers exploiting routers during attacks

A sophisticated hacking group tied to the government of China is exploiting routers in attacks on a variety of organizations, cybersecurity agencies in the United States and Japan warned Wednesday.

The activity was attributed to a group called BlackTech, which has been launching attacks since 2010, according to the FBI, National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC).

The agencies said the group has been seen modifying router firmware to conceal its activity targeting companies based in the U.S. or Japan.

“After gaining access to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks,” the agencies explained.

“BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks. Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.”

Eric Goldstein, executive assistant director for cybersecurity at CISA, said the advisory on BlackTech is meant to push organizations to mitigate the outlined risks and to contact law enforcement in the event of any discovered attacks.

“With our U.S. and international partners, CISA continues to call urgent attention to China’s sophisticated and aggressive global cyber operations to gain persistent access and, in the case of BlackTech actors, steal intellectual property and sensitive data,” he said. “BlackTech activity targets a wide range of public organizations and private industries across the U.S. and East Asia.”

The group — also known by names like Palmerworm, Circuit Panda, and Radio Panda — has been seen targeting government organizations as well as companies in the industrial, technology, media, electronics, and telecommunication sectors.

It uses custom malware and attempts to cover its tracks by disabling logging capabilities on routers so investigators cannot track their actions.

Over the years, the group has continuously updated its evasion tools and now uses stolen code-signing certificates, which allow it to make malicious software look legitimate. According to the advisory, it has become adept at blending its actions in with the normal operations of a network, allowing it to evade endpoint detection services and other security tools.

The group specifically targets “branch routers” — smaller appliances used at more remote branch offices to connect to a corporate headquarters. Exploitation of the tools not only allows the group access to more central networks but allows them to blend in with typical corporate network traffic.

While the group has exploited several brands of routers, the agencies said they have observed multiple Cisco versions targeted with custom malware, including BendyBear, Bifrose, BTSDoor FakeDead (a.k.a. TSCookie), Flagpro, FrontShell (FakeDead’s downloader module) IconDown PLEAD, SpiderPig, SpiderSpring, SpiderStack and WaterBear.

They have been able to replace the firmware of some Cisco routers with malicious tools that allow them elevated privileges in the network. In some cases, the hackers were able to abuse a Cisco tool for automating tasks that allowed them to automatically remove traces of their work.

The agencies provide a lengthy list of actions companies can take to protect themselves.

Global reach

The advisory comes after a week full of reports from cybersecurity firms about the activities of China-based hackers.

Volexity said it identified a five-year campaign by hackers they refer to as EvilBamboo targeting Tibetan, Uyghur, and Taiwanese individuals and organizations; Palo Alto Networks uncovered an espionage campaign targeting a government in Southeast Asia, and Recorded Future — The Record’s parent company — published a report on a multi-year campaign by Chinese actors against South Korean organizations.

Proofpoint also highlighted a worrying increase in activity from specific malware families targeting Chinese-language speakers.

Most of the reports spotlight the Chinese government’s extensive array of espionage operations.

Tom Hegel, senior threat researcher for SentinelLabs, published a report last week focusing on how China’s espionage attacks on countries in Africa were “designed to extend influence throughout the continent.”

“The most alarming part is how the activity goes into China’s long-term soft power agenda,” Hegel said. “Observing intrusions used to aid regional investments stands out to us, highlighting that state-sponsored intrusions are a growing support tool for soft power in Africa.”

China’s cyber campaigns have become a priority of the U.S. Department of Defense, which announced last week that it met with People's Republic of China (PRC) defense officials to discuss updates to a 2014 memorandum of understanding between the two countries on “major military activities.

“Following the briefing, the two sides engaged in substantive discussion on a range of cyber-related topics,” the Defense Department said in a statement.

China’s Ministry of State Security has responded to accusations of espionage activity with its own claims that the NSA launched an attack on Northwestern Polytechnical University and has long targeted Chinese organizations.

“The United States is trying its best to portray itself as a ‘cyberattack victim,’ inciting and coercing other countries to join the so-called ‘clean network’ program under the banner of ‘maintaining network security,’ in an attempt to eliminate Chinese companies from the international network market,” the ministry said on a Chinese social media site on September 19.

“At present, cyberspace has increasingly become a new battlefield for safeguarding national security.”