Share this article on:
A raft of agencies have released a cyber security advisory warning of a threat actor with links to the People’s Republic of China targeting private and government organisations in the US and Japan.
The US National Security Agency, the FBI, and the Cybersecurity and Infrastructure Security Agency joined with the Japanese National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity to co-author the report.
The advisory warns of a threat actor known as BlackTech and its efforts to compromise targets in the “government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the US and Japan”.
BlackTech has apparently been active since at least 2010 and utilises a number of custom malware applications, remote access Trojans and “tailored persistence mechanisms” to compromise the routers of smaller branches of global organisations headquartered in Japan and the US. The threat actor is known to update its tools regularly to evade detection while also taking advantage of stolen code-signing certificates to make its malicious payloads seem legitimate.
In addition, BlackTech uses living-off-the-land techniques to “blend in with normal operating system and network activities”, including modifying target machine registries to enable remote desktop control and NetCat shells.
BlackTech’s main tactic is to target routers in branch offices, particularly several models of Cisco routers, in which the threat actor has installed a custom backdoor. Other routers have also been compromised.
“After gaining access to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks,” the advisory read. “BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks.”
Once established in a branch network, BlackTech then uses that trusted status of the connection back to “corporate headquarters” to pivot to other targets on the company’s wider network.
According to the advisory, network defenders need to “monitor network devices for unauthorised downloads of bootloaders and firmware images and reboots”.
“Network defenders should also monitor for unusual traffic destined to the router, including SSH,” it said.
Cisco has responded to the advisory, however, saying that despite the reports of compromised routers, more traditional means of compromise are still the most prevalent.
“There is no indication that any Cisco vulnerabilities were exploited,” Cisco said in its own advisory. “Attackers used compromised credentials to perform administrative-level configuration and software changes.”
Further, Cisco maintains that only legacy devices are prone to the abovementioned forms of compromise.
“Modern Cisco devices include secure boot capabilities, which do not allow the loading and executing of modified software images,” Cisco said. The company also pointed out that the stolen code-signing certificates were not from Cisco.
“Cisco does not have any knowledge of code-signing certificates being stolen to perform any attack against Cisco infrastructure devices,” it said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.