China-linked threat actor BlackTech infiltrated the corporate networks of multinational U.S. and Japanese businesses through elaborate attacks that included modifying router firmware at victim organizations’ overseas branch offices.By penetrating edge devices in subsidiary offices, the advanced persistent threat (APT) group was able to pivot from target businesses’ smaller, often less secure, routers into their headquarter networks.Details of BlackTech’s activities were outlined in a joint Sept. 27 advisory from the U.S. National Security Agency (NSA), the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC).In the advisory, the agencies said BlackTech used the attacks to deploy backdoor malware. They urged multinational organizations to review all network connections with their subsidiary offices and listed a range of security measures they should take to mitigate the APT gang’s potential risk.“BlackTech actors have compromised several Cisco routers using variations of a customized firmware backdoor. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets,” the agencies said.“In some cases, BlackTech actors replace the firmware for certain Cisco IOS-based routers with malicious firmware. Although BlackTech actors already had elevated privileges on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access and obfuscate future malicious activity.”According to the advisory, the techniques used by the group, which has been active since 2010, were not limited to Cisco routers, and could be applied to other network equipment.“The group's tactic of hacking into network edge devices and implanting malicious firmware illustrates a high level of technical proficiency and a focus on maintaining long-term, stealthy access within targeted networks,” said Callie Guenther, cyber threat research senior manager at Critical Start.“By modifying router firmware, particularly on Cisco routers, the group ensures persistence and the ability to maneuver undetected across corporate networks.”
Threat Intelligence, Endpoint/Device Security, Network Security
BlackTech gang hacks Cisco firmware in attacks on multinational corporations

A China-linked threat actor infiltrated the corporate networks through elaborate attacks to deploy backdoor malware. (Photo by Ramon Costa/SOPA Images/LightRocket via Getty Images)
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



