US, Japan warn China-linked 'BlackTech' targeting routers

A China-linked threat actor dubbed "BlackTech" is targeting the firmware of network routers, including those sold by Cisco, according to a joint cybersecurity advisory published Wednesday by CISA.

CISA's advisory, titled "People's Republic of China-Linked Cyber Actors Hide in Router Firmware," was jointly published in cooperation with the FBI, the National Security Agency, the Japan National Police Agency and the Japan National Center of Incident Readiness and Strategy for Cybersecurity. The advisory concerns threat activity attributed to China-linked actor BlackTech, and specifically activity targeting international subsidiaries of U.S. and Japanese companies in attacks.

"BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers' domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. -- the primary targets," CISA said. In addition to broad tactics, techniques and procedures (TTP) in which BlackTech engages, the advisory covered a pattern of attacks targeting routers -- particularly those sold by networking giant Cisco.

The U.S. cyber agency said the threat actor has compromised several router brands and product versions, though the advisory focused on attacks targeting Cisco routers specifically. Once compromised, BlackTech modified the router's firmware by adding backdoors while also concealing configuration changes, hiding commands and disabling logging. As part of this campaign, the threat actor replaced firmware for certain Cisco Internetworking Operating System (Cisco IOS)-based routers with custom malicious firmware.

The firmware modifications and replacement, however, only occur after BlackTech actors already gained initial access and elevated privileges, typically through stolen administrative credentials. The firmware is used to "establish persistent backdoor access and obfuscate future malicious activity," the joint advisory said. Additional technical details are available in the advisory.

"This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment," CISA said.

Cisco published its own advisory alongside CISA's Wednesday in which it aimed to clarify the threat and emphasize specific details from the report.

The networking vendor noted that there was "no indication" Cisco vulnerabilities were exploited, that modern Cisco devices include secure boot capabilities "which do not allow the loading and executing of modified software images," and that a reference in CISA's advisory to BlackTech using stolen code-signing certificates are not from Cisco. Additionally, "Cisco does not have any knowledge of code-signing certificates being stolen to perform any attack against Cisco infrastructure devices."

Regarding remediation, CISA recommended defenders monitor their network devices for unusual router traffic as well as for unauthorized bootloader, firmware image and reboot downloads. Cisco recommended customers follow best practices according to a 2020 advisory dedicated to defending against attacks on legacy devices.

Asked about why Cisco was singled out in CISA's advisory, a spokesperson said that "Cisco is often named in advisories where multiple vendors are impacted because of our footprint across the global network."

The spokesperson also shared the following statement:

"Cisco is aware of the Sept. 27 joint cybersecurity advisory (CSA) detailing activities by BlackTech cyber actors to target router firmware from multiple vendors, including Cisco. There is no indication that any Cisco vulnerabilities were exploited as outlined in Cisco's informational security advisory. Today's alert underscores the urgent need for companies to update, patch and securely configure their network devices -- critical steps towards maintaining security hygiene and achieving overall network resilience."

CISA declined TechTarget Editorial's request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.