A China-linked threat actor known as “BlackTech” has been identified as targeting the firmware of network routers, including popular models sold by Cisco. This alarming revelation was made in a joint cybersecurity advisory published on Wednesday by the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), as well as the Japan National Police Agency and the Japan National Center of Incident Readiness and Strategy for Cybersecurity.
The advisory, titled “People’s Republic of China-Linked Cyber Actors Hide in Router Firmware,” provides crucial details about the threat activity associated with BlackTech. It specifically focuses on the group’s attacks on international subsidiaries of American and Japanese companies. According to CISA, BlackTech has proven its ability to modify router firmware without detection and exploit the domain-trust relationships of routers to pivot from international subsidiaries to headquarters in the United States and Japan.
One of the main targets of BlackTech’s operations has been routers manufactured by Cisco, the renowned networking giant. CISA’s advisory revealed that the threat actor has compromised various router brands and product versions, with a specific emphasis on Cisco routers. Once a router is compromised, BlackTech proceeds to modify its firmware by adding backdoors. Simultaneously, the group conceals configuration changes, hides commands, and disables logging. Additionally, BlackTech has been replacing firmware on certain Cisco Internetworking Operating System (Cisco IOS)-based routers with its own malicious firmware.
However, it is important to note that these firmware modifications and replacements occur only after BlackTech actors have already gained initial access and elevated privileges. Typically, they achieve this by using stolen administrative credentials. By leveraging the modified firmware, the threat actor establishes persistent backdoor access and obfuscates future malicious activities.
While the advisory focuses on Cisco routers, CISA clarifies that the techniques employed by BlackTech are not limited to a single vendor. The advisory warns that similar techniques could be used to enable backdoors in other network equipment as well.
In response to the joint advisory, Cisco released its own advisory to provide further understanding of the threat and highlight specific details from the report. Cisco highlighted that there is “no indication” that any vulnerabilities in Cisco products were exploited by BlackTech. The company emphasized that modern Cisco devices come with secure boot capabilities, which prevent the loading and execution of modified software images. Furthermore, Cisco states that they are not aware of any theft of code-signing certificates for performing attacks against their infrastructure devices.
CISA recommends that defenders closely monitor their network devices for any unusual router traffic and unauthorized downloads of bootloaders, firmware images, or reboots. Cisco advises customers to follow best practices outlined in a 2020 advisory dedicated to defending against attacks on legacy devices.
When asked about why Cisco was specifically mentioned in CISA’s advisory, a spokesperson for Cisco explained that the company is often named in such advisories due to its significant global presence in networking infrastructure. The spokesperson emphasized the need for companies to update, patch, and securely configure their network devices to maintain security and network resilience.
As of now, CISA has not provided further comment on the matter. However, this revelation serves as a stark reminder of the ongoing cybersecurity threats faced by both individuals and organizations globally. With router firmware being targeted, it is crucial for users to prioritize security measures and remain vigilant in protecting their networks from potential malicious activities.