China APT Cracks Cisco Firmware in Attacks Against the US and Japan

An old Chinese state-linked threat actor has been quietly manipulating Cisco routers to breach multinational organizations in the US and Japan.

"BlackTech" (aka Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) has been replacing device firmware with its own malicious version, in order to establish persistence and pivot from smaller, international subsidiaries to headquarters of affected organizations. Those organizations have thus far spanned government, industrial, technology, media, electronics, and telecommunication sectors, and include "entities that support the militaries of the U.S. and Japan," according to a new joint cybersecurity advisory from the National Security Agency (NSA), FBI, and Cybersecurity and Infrastructure Security Agency (CISA), as well as Japanese national police and cybersecurity authorities.

The advisory does not detail any specific CVE affecting Cisco routers. Instead, it explains, "this TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment."

Cisco has not yet responded to Dark Reading's request for comment.

According to Tom Pace, former Department of Energy head of cyber and now CEO of NetRise, it speaks to a more endemic problem in edge security. "If we get our hands on a firmware image from Cisco, Juniper, Huawei, Arista — it doesn't matter who it is," he says. "The same problems persist across all device manufacturers and all verticals."

How BlackTech Breaches Networks

Cisco routers have been subject to compromise and IP theft ever since the company first helped China build its national Internet censorship apparatus — the so-called "Great Firewall" — at the turn of the century. BlackTech, around since 2010, has taken the tradition a step further.

The group possesses 12 different custom malware families for penetrating and staking a foothold inside of Windows, Linux, and FreeBSD operating systems. They are lent an air of legitimacy by code-signing certificates and are constantly updated in order to evade antivirus detection.

Once firmly planted in target networks, BlackTech uses living-off-the-land (LotL)-style tools for evading endpoint detection, including NetCat shells, the Secure Shell Protocol (SSH), and the Remote Desktop Protocol (RDP).

Read the rest of this article on Dark Reading.

Related articles: