Chinese nation-state sponsored threat actor targets Cisco routers

Target Industry

Government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the US and Japan.

Overview

A joint advisory, from the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA) and the Japan National Centre of Incident Readiness and Strategy for Cybersecurity (NISC), has outlined the details of malicious cyber operations pertaining to the Chinese nation-state sponsored threat actor group, tracked as BlackTech’ (also known as TAG-51).

BlackTech is a highly sophisticated cyber espionage group that has targeted organisations across the industry spectrum, with the most recent campaign focusing on entities that support the militaries of the US and Japan. The threat actor group applies a range of attack vectors, including but not limited to, custom malware and living of the land techniques.

Impact

Successful compromise by BlackTech will almost certainly result in the exfiltration of a significant quantity of sensitive data as the group operates to align with the geopolitical objectives of the People’s Republic of China (PRC).

Affected Products

Cisco routers.

Containment, Mitigations & Remediations

It is strongly recommended that the following mitigation strategies, as outlined by CISA, are employed to defend against the malicious cyber operations originating from BlackTech:

• Disable outbound connections by applying the “transport output none” configuration command to the virtual teletype (VTY) lines
• Monitor both inbound and outbound connections from network devices to both external and internal systems. If possible, block unauthorised outbound connections from network devices by applying access lists or rule sets to other nearby network devices
• Place administrative systems in separate virtual local area networks (VLANs) and block all unauthorised traffic from network devices destined for non-administrative VLANs
• Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services
• Monitor logs for successful and unsuccessful login attempts with the “login on-failure log” and “login on-success log” configuration commands, or by reviewing centralised Authentication, Authorization, and Accounting (AAA) events.
• Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware
• When there is a concern that a single password has been compromised, change all passwords and keys
• Review logs generated by network devices and monitor for unauthorised reboots, operating system version changes, changes to the configuration, or attempts to update the firmware
• Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorised changes to the software stored and running on network devices
• Monitor for changes to firmware.

Indicators of Compromise

BlackTech associated file hashes (SHA-256):

• 01581f0b1818db4f2cdd9542fd8d663896dc043efb6a80a92aadfac59ddb7684
• bd02ca03355e0ee423ba0e31384d21b4afbd8973dc888480bd4376310fe6af71
• 3891fb7b3d1e5fc2d028ed3d0debe868189971b20eb8edb295e2b8d2d0c1a02a
• 15b8dddbfa37317ccdfbc340764cd0f43b1fb8915b1817b5666c4816ccb98e7c
• 865adffe43f4f8104d8a5dcdad48299fb665be8d864155b96e4d12ab969d9fc9
• d11c6048f2902c7e34350898b650f70e9118f03ae4eab6bd460db2e2841340e8
• deebd292e90529e13e7245b2f6cc7be347315d917b48dea71cf4ae0341fe8970

Threat Landscape

BlackTech is associated with a notorious history of applying highly sophisticated cyber espionage operations conducted by the PRC, including the current campaign targeting Cisco routers within the environments of organisations in regions with opposing geopolitical objectives. Due to the nature of these cyber operations involving BlackTech, it is almost certainly the case that the current campaign has been motivated by the political interests and objectives of the PRC.

Threat Group

BlackTech is a Chinese nation-state sponsored Advanced Persistent Threat (APT) group that has been active since at least 2010 and are notorious for conducting cyber espionage campaigns, primarily targeting organisations in Asia. BlackTech’s primary objective is to gain administrator privileges over vulnerable network routers and escalate their access within the target network. They achieve this by exploiting vulnerabilities in router firmware and using customised backdoors to maintain persistence. Several malware strains have been attributed to BlackTech, including TSCookie, BTSDoor, PLEAD, WaterBear, Flagpro, and SpiderStack.

Mitre Methodologies

Resource Deployment:

T1588.003 – Obtain Capabilities: Code Signing Certificates

Initial Access:

T1199 – Trusted Relationship

Persistence:

T1205 – Traffic Signaling

T1542.004 – Pre-OS Boot: ROMMONkit

Defence Evasion:

T1112 – Modify Registry

T1562 – Impair Defenses

T1562.003 – Impair Defenses: Impair Command History Logging

T1601.001 – Modify System Image: Patch System Image

Lateral Movement:

T1021.001 – Remote Services: Remote Desktop Protocol

T1021.004 – Remote Services: SSH

Command-and-Control:

T1071.002 – Application Layer Protocol: File Transfer Protocols

T1090 – Proxy

Further Information

CISA Advisory