American and Japanese authorities are warning Chinese actors known as BlackTech have been taking over routers, singling out Cisco units, via weak admin credentials and modified firmware.
Cisco has responded by saying there is no evidence any security vulnerabilities were involved in the attacks.
The warning was co-authored by America’s National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA), along with Japan’s National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC).
The advisory published by CISA said BlackTech, who also go by the names Palmerworm, Temp.Overboard, Circuit Panda or Radio Panda, target “government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the US and Japan”, and have been active since 2010.
Their modus operandi is to get access to a network via an organisation’s international subsidiaries and use that access to pivot to head office networks.
Having started by compromising edge devices, the advisory said, the BlackTech actors then target branch routers.
The branch router access is then used for “proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network.”
While saying the group “has targeted and exploited various brands and versions of router devices”, the advisory singles out Cisco products for its analysis, with BlackTech using their admin access to replace the Cisco firmware with malicious firmware.
BlackTech's modified firmware provides an SSH backdoor to give the attackers persistent access to the device without being logged, letting them snoop on traffic without being caught.
Where necessary, the attackers also exploit their access to the devices to install a modified bootloader, presumably to bypass Cisco’s bootloader security features.
Cisco’s response
Cisco seems less than pleased with the advisory, in a response published here.
Noting that weak admin credentials are the “most prevalent” access vector, the company added: “There is no indication that any Cisco vulnerabilities were exploited.
“Attackers used compromised credentials to perform administrative-level configuration and software changes,” the company said, adding that modern products secure boot capabilities “do not allow the loading and executing of modified software images.”
The company advises users to follow the practices described in this blog post.