Cisco Router Firmware Hacks Attributed To China-Linked Group

Government agencies in the U.S. and Japan say that a group known as BlackTech has been observed compromising Cisco routers and installing backdoors for maintaining access.

Hackers linked to the People’s Republic of China are responsible for a campaign to compromise Cisco routers with the installation of “stealthy” backdoors for maintaining access, U.S. and Japanese government agencies said in a joint advisory Wednesday.

The threat actor, known as BlackTech, has “compromised several Cisco routers using variations of a customized firmware backdoor,” the agencies said in the advisory. The hackers have been known to “hide in router firmware,” the advisory warned.

In its own advisory on the topic, Cisco noted that there is “no indication” that vulnerabilities in its products have been exploited in the attacks. The company also indicated that some of the methods used by the threat actors are only possible on older Cisco routers.

“Modern Cisco devices include secure boot capabilities, which do not allow the loading and executing of modified software images,” the company said.

In a statement provided to CRN, Cisco said the advisory “underscores the urgent need for companies to update, patch and securely configure their network devices – critical steps towards maintaining security hygiene and achieving overall network resilience.”

BlackTech has mainly targeted organizations in the U.S. and Japan, according to the advisory. The group has been observed targeting government, technology, industrial, media and telecom sector organizations. Those include organizations that work with the militaries of the U.S. and Japan.

BlackTech has “demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S.,” the five agencies — the NSA, FBI, CISA and two agencies in Japan — said in the advisory.

The techniques used by the hackers are “not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment,” the agencies said.

BlackTech is believed to use tactics aimed at concealing their operations, such as disabling a router’s logging, as well as deployment of custom malware, according to the advisory.

“In some cases, BlackTech actors replace the firmware for certain Cisco IOS-based routers with malicious firmware,” the agencies said.

The advisory recommends mitigation strategies such as disabling outbound connections, monitoring network connections, limiting access to administrative services, upgrading devices and monitoring for changes to firmware.

Multinational corporations, in particular, are urged to “review all subsidiary connections, verify access and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise,” the agencies said.

The advisory is the latest to warn of intensifying threats from China-linked hackers.

In another recent example, researchers at Mandiant said in August that U.S. government agencies were “disproportionately” targeted in the China-linked cyberattack campaign that exploited Barracuda’s Email Security Gateway.