Joint Cybersecurity Advisory – People’s Republic of China-Linked Cyber Actors Hide in Router Firmware

WaterISAC regularly provides awareness of recent CISA reporting. While direct relevance to your utility/organization on the details of each report may vary, activity alerts like this are practical for general awareness and greater understanding of active threats and adversary capabilities.

Yesterday, the NSA, the FBI, and CISA, along with other international partners, released a joint Cybersecurity Advisory (CSA), “People’s Republic of China-Linked Cyber Actors Hide in Router Firmware.” The CSA details activity by threat actors, known as BlackTech, linked to the People’s Republic of China (PRC). The advisory provides BlackTech tactics, techniques, and procedures (TTPs) and recommended mitigations to help network defenders defend against this threat activity.

BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the U.S., which are the primary targets. To do this, BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. BlackTech also employs custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The authoring agencies recommend implementing the mitigations listed in the advisory to help detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind. For additional guidance, visit CISA’s China Cyber Threat Overview and Advisories page.

To report suspicious or anomalous activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at Cy*****@*bi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CI*************@******hs.gov. Access the full advisory at CISA.