A China-linked threat group has been manipulating routers from Cisco and possibly other vendors to establish and maintain a presence in the networks of U.S. and East Asian multinational companies and quietly move from international subsidiaries into corporate headquarters.

The state-sponsored BlackTech group – also known as Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda – targets edge and branch routers, silently modifies the routers’ firmware – as times replacing the firmware with their own malicious version – and then exploits the trusted branch routers to bounce around the corporate network and expand its access, according to an alert issued this week by security agencies with both U.S. and Japanese government security agencies.

The group is targeting organizations in a range of sectors, including government, industrial, technology, media, electronics, telecommunication, and the defense industry, according to the alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), FBI, Japan National Police Agency, and Japan National Center of Incident Readiness and Strategy for Cybersecurity.

“Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network,” the agencies wrote. “To extend their foothold across an organization, BlackTech actors target branch routers – typically smaller appliances used at remote branch offices to connect to a corporate headquarters – and then abuse the trusted relationship of the branch routers within the corporate network being targeted.”

BlackTech gets by the routers’ built-in security features by installing older – but legitimate firmware – that is then modified in memory to enable the installation of a modified and unsigned bootloader and firmware.

The compromised public-facing branch routers essentially become a part of the infrastructure, enabling the group to blending in with corporate network traffic and pivoting to other victims on the same corporate network, they wrote.

Customer Malware and RATs

BlackTech, which has been around since 2010, uses a combination of custom malware, remote access trojans (RATs), dual-use tools, and living-off-the-land (LOTL) techniques to hide within the normal activities of the targeted operating systems and networks to evade detection by endpoint-detection-and-response (EDR) and other security tools.

The agencies the hackers have a dozen custom malware and RATs with names like BendyBear, FlagPro, IconDown, and SpiderPig they use to target systems running Windows, Linux, and FreeBSD.

In a response to the advisory, Cisco said that the bad actors initially access the routers primarily through stolen or weak administrative credentials, noting that configuration changes like disabling logging and downloading firmware requires such credentials. The vendor added that “there is no indication that any Cisco vulnerabilities were exploited. Attackers used compromised credentials to perform administrative-level configuration and software changes.”

In addition, stolen code-signing certificates noted in the agencies’ advisory are not from Cisco, the company said.

A Highly Skilled Threat Group

Callie Guenther, senior manager of cyberthreat research at Critical Start, said in a note sent to Security Boulevard tactics indicate BlackTech’s proficient tech skills.

“The fact that BlackTech is targeting branch routers demonstrates a calculated approach to exploit the trusted relationships these routers hold within corporate networks,” Guenther said. “The use of customized firmware backdoors, which can be enabled and disabled through specially crafted packets, further underscores the advanced nature of this campaign.”

Routers and other Internet of Things (IoT) devices, which tend to come with lax security as seen by the number of home routers that still run with default factory-set credentials, said John Gallagher, vice president of Viakoo Labs.

“Whether remote offices, home offices, warehouses, or factory floors, many organizations have powerful network-connected devices that are outside the direct management of IT,” Gallagher said. “This leads to situations like described here, where IoT devices within a foreign operation were used to gain initial access.”

Move to Devices with Secure Boot

The agencies and Cisco are recommending that organizations upgrade their network devices to those with secure boot capabilities, monitor inbound and outbound connections from network devices to external and internal systems.

For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders, and review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware.

The alert about BlackTech highlights the U.S. government’s belief that China poses a significant threat the countries national security and economy. The U.S. Office of the Director of National Intelligence in its 2023 annual threat report called China “the broadest, most active, and persistent cyber espionage threat to the U.S. Government and private-sector networks.”

Meanwhile, China earlier this month accused the United States intelligence community of running malware and cyber-espionage campaigns against it and other countries – including Russia, Iran, and North Korea – for more than a decade.