Get in Touch
Government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the US and Japan.
A joint advisory, from the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA) and the Japan National Centre of Incident Readiness and Strategy for Cybersecurity (NISC), has outlined the details of malicious cyber operations pertaining to the Chinese nation-state sponsored threat actor group, tracked as BlackTech’ (also known as TAG-51).
BlackTech is a highly sophisticated cyber espionage group that has targeted organisations across the industry spectrum, with the most recent campaign focusing on entities that support the militaries of the US and Japan. The threat actor group applies a range of attack vectors, including but not limited to, custom malware and living of the land techniques.
Successful compromise by BlackTech will almost certainly result in the exfiltration of a significant quantity of sensitive data as the group operates to align with the geopolitical objectives of the People’s Republic of China (PRC).
Containment, Mitigations & Remediations
It is strongly recommended that the following mitigation strategies, as outlined by CISA, are employed to defend against the malicious cyber operations originating from BlackTech:
- Disable outbound connections by applying the “transport output none” configuration command to the virtual teletype (VTY) lines
- Monitor both inbound and outbound connections from network devices to both external and internal systems. If possible, block unauthorised outbound connections from network devices by applying access lists or rule sets to other nearby network devices
- Place administrative systems in separate virtual local area networks (VLANs) and block all unauthorised traffic from network devices destined for non-administrative VLANs
- Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services
- Monitor logs for successful and unsuccessful login attempts with the “login on-failure log” and “login on-success log” configuration commands, or by reviewing centralised Authentication, Authorization, and Accounting (AAA) events.
- Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware
- When there is a concern that a single password has been compromised, change all passwords and keys
- Review logs generated by network devices and monitor for unauthorised reboots, operating system version changes, changes to the configuration, or attempts to update the firmware
- Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorised changes to the software stored and running on network devices
- Monitor for changes to firmware.
Indicators of Compromise
BlackTech associated file hashes (SHA-256):
BlackTech is associated with a notorious history of applying highly sophisticated cyber espionage operations conducted by the PRC, including the current campaign targeting Cisco routers within the environments of organisations in regions with opposing geopolitical objectives. Due to the nature of these cyber operations involving BlackTech, it is almost certainly the case that the current campaign has been motivated by the political interests and objectives of the PRC.
BlackTech is a Chinese nation-state sponsored Advanced Persistent Threat (APT) group that has been active since at least 2010 and are notorious for conducting cyber espionage campaigns, primarily targeting organisations in Asia. BlackTech’s primary objective is to gain administrator privileges over vulnerable network routers and escalate their access within the target network. They achieve this by exploiting vulnerabilities in router firmware and using customised backdoors to maintain persistence. Several malware strains have been attributed to BlackTech, including TSCookie, BTSDoor, PLEAD, WaterBear, Flagpro, and SpiderStack.
T1588.003 – Obtain Capabilities: Code Signing Certificates
T1199 – Trusted Relationship
T1205 – Traffic Signaling
T1542.004 – Pre-OS Boot: ROMMONkit
T1112 – Modify Registry
T1562 – Impair Defenses
T1562.003 – Impair Defenses: Impair Command History Logging
T1601.001 – Modify System Image: Patch System Image
T1021.001 – Remote Services: Remote Desktop Protocol
T1021.004 – Remote Services: SSH
T1071.002 – Application Layer Protocol: File Transfer Protocols
T1090 – Proxy