NSA releases guide to spot China-linked router hackers


A new cybersecurity advisory details the activity of BlackTech, a cyber threat actor linked to the People’s Republic of China.

BlackTech, also known as Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, attacks domain trusts by modifying router firmware without detection. It does so by using custom malware, dual-use tools, and living off the land (LotL) tactics, such as disabling logging on routers, to conceal their operations, the advisory says.

The group, active since 2010, primarily targets organizations in Japan and the US, including military-linked entities. Other targets include government, industrial, technology, media, electronics, and telecommunications sectors.

ADVERTISEMENT

According to the advisory, BlackTech targets international subsidiaries of the US and Japanese companies and then exploits trusted network relationships to connect to other branches and corporate headquarters.

“Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network,” the advisory reads.

A joint work of the US and Japan’s law enforcement and cybersecurity agencies, the advisory lists a range of custom malware families BlackTech use to target Windows, Linus, and FreeBSD operating systems. These include:

  • BendyBear
  • Bifrose
  • BTSDoor
  • FakeDead (a.k.a. TSCookie)
  • FlagPro
  • FrontShell (FakeDead's downloader model)
  • IconDown
  • PLEAD
  • SpiderPig
  • SpriderSpring
  • SpiderStack
  • WaterBear

According to the advisory, BlackTech continuously updates these tools to evade detection by security software and use stolen code-signing certificates to sign the malicious payloads, which make them look more legitimate.

While the advisory specifically mentions compromised Cisco devices, it says that the group has also targeted various other router brands.

To mitigate risks, multinational corporations should review all subsidiary connections, verify access, and consider implementing Zero Trust models, the guide says. It says network defenders should take the following steps:

  • Disable outbound connections by applying the “transport output none” configuration command to the virtual teletype (VTY) lines, which will prevent some copy commands from connecting to external systems.
  • Connect network devices to nearby devices for exchanging routing or network topology information only or with administrative systems – which should be placed in separate virtual local area networks (VLANs) – for time synchronization, logging, authentication, and monitoring.
  • Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services; monitor logs for successful and unsuccessful login attempts.
  • Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware; highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.
  • Change all passwords and keys when there is a concern that even a single password has been compromised.
  • Compare logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware; compare against expected configuration changes and patching plans.
  • Perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents periodically to detect unauthorized changes to the software stored and running on network devices.
  • Monitor for changes to firmware; periodically take snapshots of boot records and firmware and compare against known good images.
ADVERTISEMENT

The advisory was released by the National Security Agency (NSA) in cooperation with the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), as well as Japan's National Police Agency and National Center of Incident Readiness and Strategy for Cybersecurity (NISC).