China Delivers Cyber Blow to US and Japan with APT Attacks on Cisco Firmware

Chinese State-Linked Threat Actor Exploits Cisco Routers to Breach Multinational Organizations

An Overview of the Breach

An old Chinese state-linked threat actor known as “BlackTech” has been conducting sophisticated cyber attacks on multinational organizations in both the United States and Japan, according to a joint cybersecurity advisory from the National Security Agency (NSA), FBI, Cybersecurity and Infrastructure Security Agency (CISA), Japanese national police, and cybersecurity authorities. BlackTech, also known as Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been replacing the firmware of Cisco routers with their own malicious version. This allows them to establish persistence within the networks and move from smaller international subsidiaries to the headquarters of the affected organizations.

The targets of the attacks have spanned various sectors including government, industrial, technology, media, electronics, and telecommunication. The advisory also mentions that these organizations include entities that support the militaries of the U.S. and Japan. It is worth noting that the advisory does not specifically mention any CVE affecting Cisco routers and indicates that similar techniques could be applied to backdoor other network equipment.

The Exploitation Tactics of BlackTech

BlackTech has been involved in compromising and stealing intellectual property from Cisco routers since the company assisted China in building its national Internet censorship apparatus, the “Great Firewall,” in the early 2000s. The group possesses 12 different custom malware families that target Windows, Linux, and FreeBSD operating systems. These malware families are constantly updated to evade antivirus detection and are given an air of legitimacy through code-signing certificates.

Once BlackTech gains access to target networks, they employ living-off-the-land (LotL)-style tools to evade detection. They use techniques such as NetCat shells, the Secure Shell Protocol (SSH), and the Remote Desktop Protocol (RDP). BlackTech’s ultimate goal is to escalate their privileges within the target network until they obtain administrator privileges over vulnerable network routers. This sets them apart from other threat actors.

Specific Exploitation Methods on Routers

BlackTech specifically targets routers at smaller remote branches of larger organizations where security measures may be less stringent. By connecting to an organization’s primary IT network, they mimic regular network traffic and potentially pivot to other victims within the organization. To ensure control over the routers and hide their malicious activities, BlackTech performs a downgrade attack.

In this attack, BlackTech installs an older version of the router’s firmware, taking advantage of Cisco’s feature that allows authorized individuals to downgrade the operating system image and firmware. They then modify the old firmware in memory (hot patching) without requiring a reboot. This allows them to install a bootloader and their own malicious firmware, which includes a built-in SSH backdoor.

Alex Matrosov, CEO and head of research at Binarly, highlighted that the advisory does not mention a specific vulnerability. However, he pointed to CVE-2023-20082, a medium-rated 6.8 CVSS-scored bug in Cisco Catalyst switches, as an example of a comparable vulnerability that could be exploited by BlackTech.

Mitigation Strategies and Long-Term Solutions

The joint advisory provides several steps for companies to mitigate the threat posed by BlackTech’s tactics. These include monitoring inbound and outbound connections with network devices, reviewing logs and firmware changes, and maintaining strong password hygiene.

However, Tom Pace, former Department of Energy head of cyber and current CEO of NetRise, argues that these steps are merely “Band-Aids” for a more systemic issue in edge security. He emphasizes the lack of visibility solutions for edge devices, such as routers, compared to laptops, desktops, and servers.

Pace suggests that device manufacturers must upgrade their security measures, and customers must invest in this area that has traditionally been overlooked. He warns that without significant improvements in edge device security, similar incidents will continue to occur. He estimates that this problem has persisted for at least a decade and predicts it will continue unless addressed comprehensively.

Conclusion

The recent revelations about BlackTech’s exploitation of Cisco routers to breach multinational organizations underline the continuous threat posed by state-linked threat actors. This incident highlights the need for advanced security measures not only on routers but on all edge devices. The joint advisory provides valuable short-term mitigations, but a more comprehensive approach to enhancing edge security is necessary to prevent similar incidents in the future.

Without significant advancements in security measures from device manufacturers and increased investment from customers, organizations will continue to face persistent threats. The implications extend beyond the immediate breach as these state-linked actors become more sophisticated and stealthy in their cyber operations. A collective effort from both the public and private sectors is essential to address these ongoing challenges and protect the digital infrastructure that underpins our daily lives.