CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese Gov Hackers Caught Hiding in Cisco Router Firmware

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently hop around the corporate networks of U.S. and Japanese companies.

Cisco zero-day CVE-2023-20109 exploited

A Chinese state-sponsored APT called BlackTech has been caught hacking into network edge devices and using firmware implants to stay hidden and silently hop around the corporate networks of U.S. and Japanese multinational companies.

According to a high-powered joint advisory from the NSA, FBI, CISA and Japan’s NISC, BlackTech has been observed modifying router firmware on Cisco routers to maintain stealthy persistence and pivot from international subsidiaries to headquarters in Japan and the United States.

“Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network,” the agencies warned. 

To extend their foothold across an organization, the BlackTech attackers target branch routers — typically smaller appliances used at remote branch offices to connect to a corporate headquarters — and abuse the trusted relationship of the branch routers within the corporate network being targeted. 

The attackers then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network.

BlackTech, active since at least 2010, is a prolific Chinese APT that targets government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. 

The actor has traditionally used custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations.  

According to the advisory, BlackTech hackers have compromised several Cisco routers using variations of a customized firmware backdoor that is enabled and disabled through specially crafted TCP or UDP packets. 

Advertisement. Scroll to continue reading.

In some cases, the group has been caught replacing the firmware for certain Cisco IOS-based routers with malicious firmware. 

“Although BlackTech actors already had elevated privileges on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access and obfuscate future malicious activity,” the agencies said.

In the observed attacks, the modified firmware used a built-in SSH backdoor that allowed BlackTech actors to maintain access to the compromised router without any connections being logged.

The attackers also bypassed the router’s built-in security features in a complex scheme involving the installation of older legitimate firmware files that are then modified in memory to bypass firmware signature checks and evade detection.

In the joint advisory, the agencies are recommending that defenders monitor both inbound and outbound connections from network devices to both external and internal systems, and check logs for successful and unsuccessful login attempts with the “login on-failure log” and “login on-success log” configuration commands.

Businesses are also being nudged to upgrade devices to ones that have secure boot capabilities and review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. 

UPDATE (Response from Cisco):

Cisco has released a bulletin noting that the most prevalent initial access vector in these attacks involves stolen or weak administrative credentials.  “There is no indication that any Cisco vulnerabilities were exploited. Attackers used compromised credentials to perform administrative-level configuration and software changes.”

The company said installing compromised software by first downgrading to older firmware only affects legacy devices and is not allowed in modern Cisco routers that support secure boot. 

“The stolen code-signing certificates mentioned in the report are not from Cisco. Cisco does not have any knowledge of code-signing certificates being stolen to perform any attack against Cisco infrastructure devices,” the company argued.

Hardware security experts say they aren’t surprised to see advanced attackers lurking in the shadows of firmware to enable persistence and pivot for stealthy attacks.

“The tactics used by the threat actor aren’t new,” said Alex Matrosov, CEO and head of research at Binarly, a Los Angeles company building technology to secure the firmware ecosystem. “Unfortunately, this is not a surprise, we have observed an increase in firmware attacks with BlackLotus, CosmicStrand, and MoonBounce as recent examples, but the impact of this BlackTech campaign is a clear progression of the documented attacks related to compromised firmware,” Matrosov added.

Matrosov jabbed at device vendors like Cisco that minimize the severity of patched bugs and suggest high attack barriers like needing remote code execution) or stolen credentials. “This leads to lower CVSS scores, diverting patching urgency and attention. Consequently, many systems remain at risk due to this downplaying [of vulnerability severity],” he added.

A statement from Eclypsium said the BlackTech discovery is another example that the supply chain of network infrastructure is in a state of crisis. “It’s clear that old ways of securing networks and endpoints are no longer effective. Network infrastructure has become the lowest hanging fruit for most threat actors. Both ransomware groups like LockBit 3.0 and nation-state actors use network appliances as an initial access vector or to establish persistence,” the company said.

Related: U.S. Gov Warning: Firmware Security a ‘Single Point of Failure’

Related: Prolific Chinese APT Using ‘MoonBounce’ Firmware Implant

Related: Microsoft: Firmware Attacks Outpacing Security Investments

Related: CISA Calls Urgent Attention to UEFI Attack Surfaces

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.