Chinese Hackers Hiding in Cisco Router Firmware, Target U.S., Japanese Companies

The National Security Agency (NSA) and FBI are warning that Chinese hackers have compromised several Cisco routers to silently move around the corporate networks of U.S. and Japanese companies.

A Chinese state-sponsored advanced persistent threat (APT) called BlackTech has been observed modifying router firmware on Cisco routers to maintain stealthy persistence and pivot from international subsidiaries to corporate headquarters.

According to the advisory, the Chinese hackers have compromised several Cisco routers using variations of a customized firmware backdoor that is enabled and disabled through specially crafted TCP or UDP packets.

“BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks,” it said. “Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers, typically smaller appliances used at remote branch offices, to connect to a corporate headquarters — and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic and pivoting to other victims on the same corporate network.”

Cisco’s Response to Chinese Hackers Warning

Cisco tells us customers abnd partners need to ensure they are taking security hygiene measures which would mitigate these types of attacks. It also sent us the following statement:

“Cisco is aware of the Sept. 27 joint cybersecurity advisory (CSA) detailing activities by BlackTech cyber actors to target router firmware from multiple vendors, including Cisco. There is no indication that any Cisco vulnerabilities were exploited as outlined in Cisco’s informational security advisory. Today’s alert underscores the urgent need for companies to update, patch and securely configure their network devices — critical steps towards maintaining security hygiene and achieving overall network resilience. For customers, technical details and steps to detect and mitigate the malicious activity are outlined in the CSA.”

John Gallagher, vice president of Viakoo Labs at Viakoo, said routers and other forms of IoT devices have often been used as a means of gaining access due to them being managed outside of IT and having inherently poor security. Not surprisingly, routers have often appeared on the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog.

Viakoo’s John Gallagher

“Whether remote offices, home offices, warehouses or factory floors, many organizations have powerful network-connected devices that are outside the direct management of IT,” he said. “This leads to situations like described here, where IoT devices within a foreign operation [were] used to gain initial access. Almost all organizations have security policies. The question is whether they are enforced or have specific exemptions granted. Use of an agentless asset discovery solution, as well as application-based discovery can provide a starting point for securing your asset inventory, and identifying at an application level the most critical systems.”

More Widespread Security Issue

This points to a more widespread security issue with edge, IoT and OT devices, which is the lack of secure firmware distribution, Gallagher said.

“Many firmware packages are not digitally signed, and even worse often [are] downloaded through using a search engine that may provide links to compromised firmware,” he said. “Before deploying new firmware onto IoT devices, it should first go through testing in order to create a secure chain of trust in using that firmware.”

Callie Guenther, senior manager of cyber threat research at Critical Start, said BlackTech’s activities signify a sophisticated and deliberate campaign aimed at compromising the corporate networks of U.S. and Japanese companies. The Chinese hackers’ tactic of hacking into network edge devices and implanting malicious firmware illustrates a high level of technical proficiency and a focus on maintaining long-term, stealthy access within targeted networks. By modifying router firmware, particularly on Cisco routers, the group ensures persistence and the ability to maneuver undetected across corporate networks.

Critical Start’s Callie Guenther

“The fact that BlackTech is targeting branch routers demonstrates a calculated approach to exploit the trusted relationships these routers hold within corporate networks,” she said. “By compromising these smaller, potentially less-secured devices, the group can seamlessly blend in with legitimate corporate network traffic, making detection more challenging. This approach also facilitates lateral movement across the network, allowing the attackers to pivot and extend their reach to other systems, subsidiaries and potentially the headquarters of the targeted organizations.”

Persistent and Concealed Access

The use of customized firmware backdoors, which can be enabled and disabled through specially crafted packets, further underscores the advanced nature of this campaign, Guenther said. These backdoors provide the attackers with persistent and concealed access, enabling them to execute future malicious activities with reduced risk of detection.

“Given the nature of the targeted devices and the modus operandi, companies, especially those operating in critical sectors, need to exercise heightened vigilance,” she said. “Enhancing monitoring practices, regularly updating and patching systems and conducting thorough security assessments of network configurations are crucial steps in mitigating the risks posed by such sophisticated threats.”