The U.S. and Japanese governments have issued a warning over an alleged Chinese-linked hacking group that is actively targeting and exploiting routers, particularly those from Cisco Systems Inc.

The joint advisory was issued today by the U.S. National Security Agency, the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the Japan National Police Agency and the Japan National Center of Incident Readiness and Strategy for Cybersecurity. It warns of a threat actor known as BlackTech.

The advisory claims that BlackTech, also known as Palmerworm, Temp.Overboard, Circuit Panda and Radio Panda, has demonstrated capabilities in modifying router firmware without detection. It has exploited routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. The threat group has targeted government, industrial, technology, media, electronics and telecommunication sectors, including entities that support the militaries of the U.S. and Japan.

BlackTech actors use custom malware, dual-use tools and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations. The advisory provides details on BlackTech’s tactics, techniques and procedures and highlights the need for corporations to review all subsidiary connections and verify access.

Enterprises are also advised to consider implementing zero trust models to limit the extent of a potential BlackTech compromise and to implement mitigations against known attack paths to detect nefarious activity and to protect devices from the backdoors the BlackTech actors are leaving behind.

Cisco also published its own security advisory on the threat of BlackTech today, noting that the most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. Cisco also said there’s no indication that any Cisco vulnerabilities were exploited.

“The fact that BlackTech is targeting branch routers demonstrates a calculated approach to exploit the trusted relationships these routers hold within corporate networks,” Callie Guenther, senior manager of cyber threat research at managed detection and response firm Critical Start Inc., told SiliconANGLE. “By compromising these smaller, potentially less-secure devices, the group can seamlessly blend in with legitimate corporate network traffic, making detection more challenging. This approach also facilitates lateral movement across the network, allowing the attackers to pivot and extend their reach to other systems, subsidiaries, and potentially the headquarters of the targeted organizations.”

Image: Ideogram