BlackTech APT, a renowned group of hackers, has been engaging in malicious activities since 2010. Their targets span across various sectors, including governmental institutions, industrial facilities, technological infrastructure, media outlets, electronic systems, mobile devices, and military establishments. To cover their tracks, the group employs custom-made malicious software, versatile tools that can be used for both ethical and nefarious purposes, and clever methods that exploit existing system resources, such as turning off routers’ data recording features.
The Japan National Police Agency (NPA) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have shed light on BlackTech’s ability to change router firmware without being detected. Additionally, they discovered that the group leverages routers’ domain-trust relationships to transition from having international subsidiaries to establishing headquarters in Japan and the U.S.
Continually evading capture, criminals in the black market regularly update their tools to stay one step ahead. They go as far as stealing code-signing certificates to make their malware appear authentic and legitimate.
Furthermore, BlackTech utilizes custom-made malware payloads and remote access tools (RATs) to infiltrate their victims’ computers. Their malware is designed to operate seamlessly on different operating systems, including Windows, Linux, and FreeBSD. To escape detection, the group employs “living off-the-land” techniques, blending in with normal network activities and operating systems. This helps them dodge endpoint detection and response (EDR) tools.
Their current campaign primarily targets foreign branches of American and Japanese companies. Once they gain access to these companies’ internal networks, they can pivot to headquarters networks. The report released by CISA states that “BlackTech actors take advantage of trusted network relationships between a known victim and other entities to gain more access to target networks.”
The group exploits a variety of router names and versions from prominent firms like Cisco. In the case of Cisco routers, the hackers hide within Embedded Event Manager (EEM) rules, which are used in Cisco IOS to automate tasks triggered by specific events.
To address the BlackTech threat, CISA and NPA have recommended several measures. They strongly advise network defenses to closely monitor unusual traffic patterns, unexpected reboots, and unauthorized downloads of bootloaders, firmware images, and software images.
Protecting oneself from vulnerabilities is crucial, and organizations can leverage Patch Manager Plus to patch over 850 third-party applications efficiently. By taking advantage of the free trial of Patch Manager Plus, organizations can ensure 100% security and safeguard their systems from potential cyber threats.
In conclusion, BlackTech APT continues to pose a significant threat to a wide range of sectors globally. Their use of custom-made malware, RATs, and clever tactics make them exceptionally adept at evading detection. The collaboration between the Japan National Police Agency and the U.S. Cybersecurity and Infrastructure Security Agency highlights the need for constant vigilance and stringent cybersecurity measures to mitigate the risks posed by groups like BlackTech.