A recent report has shed light on new developments surrounding the BlackTech APT group, a notorious Chinese state-sponsored advanced persistent threat (APT) entity. For over a decade, the group has been conducting cyber espionage operations targeting Japanese, Taiwanese, and Hong Kong-based organizations, providing sensitive information to the Chinese government.
The BlackTech APT group has left a trail of cyber attacks across various sectors, including government, industry, technology, media, electronics, telecommunications, and defense. Their tactics involve a sophisticated blend of custom-made malware, versatile tools, and strategic maneuvers, such as disabling data recording on routers, to obfuscate their activities.
Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Japan’s National Police Agency (NPA) shared insights into the BlackTech APT group. According to the report, the group has the capability to discreetly manipulate router firmware and exploit domain-trust relationships within networks. This allows them to pivot from international subsidiaries to central headquarters in Japan and the U.S.
Another notable feature of the BlackTech APT group is their constant evolution of tools to evade detection. They also steal code-signing certificates, giving their malware an appearance of legitimacy. By utilizing an array of custom malware payloads and remote access tools (RATs) compatible with multiple operating systems, the group seamlessly blends with standard network activities and operating systems, making it difficult to detect their presence.
The BlackTech APT group has emerged as a significant cyber threat that goes beyond conventional boundaries. They exhibit a distinct preference for targeting various router brands and versions, with a notable emphasis on Cisco routers. Within Cisco’s infrastructure, the group conceals its presence within Embedded Event Manager (EEM) policies, which automate tasks triggered by specific events.
To counter this evolving threat, CISA and NPA have outlined a series of mitigation steps. Network defenders are advised to maintain vigilance for any signs of anomalous traffic patterns, unauthorized downloads of bootloaders and firmware images, and unusual reboots. These indicators may serve as early warnings of BlackTech’s presence within a network.
BlackTech’s cyber activities have gained attention in recent years. In 2020, Taiwan’s security authority reported cyber attacks targeting approximately 6,000 government officials’ email accounts. Both BlackTech and another hacking group, Taidoor, were identified as likely backed by the Chinese Communist Party. This revelation highlights the persistent nature of BlackTech’s operations.
Considering the escalating tensions between the U.S. and China, particularly regarding issues surrounding Taiwan, U.S. security officials have been warning about China’s formidable cyber capabilities. FBI Chief Chris Wray recently emphasized that China possesses a hacking program that surpasses the combined efforts of other major nations.
It is important to note that the information provided in this report is based on internal and external research obtained through various means. Users are responsible for their reliance on this information, and The Cyber Express assumes no liability for its accuracy or consequences.