Cisco routers abused by China-linked hackers against US, Japan companies

Dive Brief:

• U.S. and Japanese authorities warned a state-backed cyber threat group, identified as BlackTech, is abusing firmware in Cisco and other routers to hack into companies in both countries. 
• Officials said the group, linked to the People’s Republic of China, is using custom malware and living-off-the-land techniques to infiltrate international subsidiaries of these companies and gain trusted access to computer systems inside the main headquarters at unsuspecting firms. 
• The Cybersecurity and Infrastructure Security Agency, FBI and National Security Agency issued the warning Wednesday in a joint advisory with the Japan National Police Agency and the Japan National Center of Incident Readiness and Strategy for Cybersecurity.

Dive Insight:

BlackTech has been actively attacking companies that support the defense industry in both countries since 2010.

The hackers have historically targeted firmware located at international subsidiaries of U.S. and Japanese companies, using custom malware to abuse Cisco routers in order to evade detection. 

Mandiant officials said they have observed the threat group targeting media and technology companies from Japan and most recently organizations located in Taiwan. 

“This activity is another example of China’s increasingly complex cyber operations,” John Hultquist, chief analyst at Mandiant Intelligence, a Google Cloud unit, said via email. “Rather than loud, direct attacks at targets, China is employing creative methods, like abusing the trusted connections between organizations to infiltrate their desired targets.”

BlackTech is considered one of the most capable threat groups associated with China, but the abuse of routers is a bit of a novel technique for them, according to Dick O’Brien, principal intelligence analyst at Symantec, part of Broadcom. 

“What we’ve seen in the past is a combo of custom malware, previously used malware and living off the land tactics,” O’Brien told Cybersecurity Dive. “But this router technique is kind of a new thing in their arsenal.”

Broadcom has tracked the group’s activities for many years, including espionage campaigns in Japan, Taiwan and other countries in 2019 and 2020.

BlackTech has used remote access tools and custom malware, including BendyBear, Flagpro, SpiderPig and other families to access the operating systems of targeted companies, according to a CISA advisory released in 2022.

The group has targeted certain Cisco IOS-based routers and used malicious firmware to replace the existing firmware, according to the CISA advisory.

Hackers are mainly using stolen or weak administrative credentials to gain access, Cisco said Wednesday in an advisory related to the attacks. Cisco claims there is no indication the hackers are abusing existing vulnerabilities, however said modern Cisco devices have secure boot capabilities that prevent the ability to load and execute modified software images. 

CISA previously referenced China-linked threat actors exploiting an old remote code execution vulnerability in Cisco’s devices, listed as CVE-2018-0171.

The attacks underscore the “urgent need for companies to update, patch and securely configure their network devices — critical steps towards maintaining security hygiene and achieving overall network resilience,” a Cisco spokesperson said via email.

BlackTech is also using stolen code certificates to sign malicious payloads, which can make it more difficult for security software to detect. A Cisco spokesperson said there is no evidence linking those stolen certifcates to attacks against the company’s devices.

Cisco recently led a coalition of companies to combat the growing use of networking devices, including routers and switches, to launch malicious attacks.