Chinese State-Sponsored BlackTech Hackers Caught Hiding in Cisco Router Firmware

A Chinese state-sponsored APT called BlackTech has been caught hacking into network edge devices and using firmware implants to stay hidden and silently hop around the corporate networks of U.S. and Japanese multinational companies. According to a high-powered joint advisory from the NSA, FBI, CISA, and Japan’s NISC, BlackTech has been observed modifying router firmware on Cisco routers to maintain stealthy persistence and pivot from international subsidiaries to headquarters in Japan and the United States. “Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network,” the agencies warned. “Although BlackTech actors already had elevated privileges on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access and obfuscate future malicious activity,” the agencies said.