Recent findings from a joint advisory issued by the NSA, FBI, CISA, and Japan’s NISC indicate that the Chinese hacking group, BlackTech, has been utilizing router firmware on Cisco routers to maintain concealed persistence and carry out cyber-attacks. BlackTech has been active since 2010 and primarily targets government, industrial, technology, media, electronics, and telecommunication sectors.
The advisory warns that the attackers modify the firmware upon acquiring administrator access to network edge devices, allowing them to hide their activity and maintain persistence within the network. BlackTech specifically targets branch routers, which are smaller appliances used in remote branch offices to connect to a corporate headquarters. By compromising these routers, the attackers can blend in with corporate network traffic and pivot to other victims on the same network.
Cisco routers have been compromised using custom firmware backdoors created by the group. The modified firmware includes a built-in SSH backdoor for persistent access without any logged connections. Additionally, the attackers have developed a complex scheme to bypass firmware signature checks and evade detection.
The advisory recommends that organizations monitor network devices for inbound and outbound connections, review logs for unauthorized access attempts, upgrade to devices with secure boot capabilities, and regularly check for firmware updates. Cisco has clarified that the attackers did not exploit any vulnerabilities in their infrastructure and instead used stolen or weak administrative credentials for their attacks.
To safeguard against cyber-attacks comparative to the BlackTech hacks, organizations can take proactive measures by using Next-Gen File Integrity Monitoring software like CimTrak. The CimTrak Integrity Suite protects against unauthorized changes to your network infrastructure by providing comprehensive visibility and analysis into all changes across your entire network. In addition, organizations have the ability to see side-by-side comparisons to highlight changes made and even restore to a previous configuration when necessary. Download the Technical Summary for more information on how CimTrak can continuously monitor your network infrastructure.