HQ/EMEAFind out how we can help your business
The Chinese state-sponsored hacking group, BlackTech APT, is the alleged culprit of new covert cybercriminal activities that infiltrate network routers. The campaign prioritises stealth to remain undetected while targeting organisations in the United States and Japan.
The intrusion tactic of the BlackTech group is to target branch routers, typically launched in remote branch offices. Moreover, this threat group expands their influence into the target networks by exploiting the trusted connections between victims and other entities.
BlackTech could usually manipulate the firmware to hide its actions and establish persistence within its targeted network once it acquires initial access and admin privileges on the network edge devices.
The BlackTech APT has prioritised targeting Cisco routers in their campaign to compromise numerous organisations in the United States and Japan.
According to the joint advisory released by multiple law enforcement agencies in Japan and the US, the BlackTech APT group executed their cybercriminal campaign by compromising Cisco routers.
These attackers have successfully infected these devices by employing customised firmware backdoors that they could activate or deactivate through specially crafted TCP or UDP packets. This advanced persistent threat group sometimes replaced the firmware on specific Cisco IOS-based routers with malicious versions to establish its backdoor access and obscure its malicious operation.
Furthermore, BlackTech is notorious for employing a combination of custom malware, dual-use tools, and tactics that blend in with regular network operations, such as disabling logging on routers, to hide their activities.
Over time, the group has consistently polished its evasion capabilities, employing stolen code-signing certificates to legitimise its malicious software. These new details about BlackTech’s versatility show that it could seamlessly integrate its actions with standard network operations; hence, it could bypass the detection of endpoint security solutions and other protective measures.
On the other hand, Cisco has confirmed that they have not seen evidence of any vulnerabilities in its networking devices after reviewing the latest BlackTech APT campaign. However, they noted that legacy devices are susceptible to these attacks.
Still, modern Cisco devices could remain safe from these attacks since they have secure boot capabilities and could prevent the loading and execution of modified software images.
