Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Network Firewalls, Network Access Control
Chinese Hackers Target Routers in IP Theft Campaign
BlackTech Exploits Trusted Relationship Between Outpost and Parent FirmA Chinese hacking group linked to state authorities in Beijing has upgraded its espionage capabilities to target companies with headquarters in the United States and East Asia, warned an alert from Japanese and American cyber agencies.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
The latest campaign from BlackTech has targeted networks of regional subsidiaries across government, industrial, technology and defense industrial base sectors. BlackTech, active since 2010, is also tracked as Circuit Panda, Palmerworm and Temp.Overboard. The group has stolen intellectual property from Taiwanese technology firms and occasionally has targeted companies in Japan and Hong Kong.
In its latest campaign, the group is looking for network devices, including routers, located at branch offices to compromise as a gateway into the larger corporate network, said Eric Goldstein, executive assistant director for cybersecurity.
BlackTech has a customized firmware backdoor tailored for Cisco routers that allows its hackers to maintain backdoor access without their connections showing up in logs. To install the custom malware, hacker use their already elevated privileges on the router to install an older, legitimate firmware version. They modify it in memory to install an unsigned bootloader and their malicious firmware.
The group deploys a range of custom malware payloads and remote access tools to target victim operating systems. Among the tools are BendyBear, FakeDead - also known as TSCookie, and Flagpro. BlackTech also uses Windows utilities for its own ends - a technique known as "living off the land."