China-Backed Hacks of Cisco Routers Worry Feds — BlackTech Revenge?

a PRC flag flies in a stiff breezeFBI, NSA, CISA join Japan’s NISC to warn of espionage group linked to Chinese Communist Party.

The People’s Republic of China is attacking Cisco routers, installing persistent malware with sneaky backdoors. They break into Cisco’s IOS and drop a hidden EEM policy to manipulate a CLI result.

Clear as mud? Read on. In today’s SB Blogwatch, we fire up the BBQ.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Raspberry Pi 5 boot speed.

TTP: IOS EEM CLI BBQ LOL

What’s the craic? Kantaro Komiya reports—“Authorities warn of China-linked hacking group”:

U.S.-China tensions
The joint advisory … urged firms to review the internet routers at their subsidiaries to minimise the risk of potential attack. … BlackTech has been engaging in cyberattacks on governments and tech-sector companies in the United States and East Asia since around 2010.

Amid heightening U.S.-China tensions over issues including Taiwan, U.S. security officials are raising the tone of their warnings against China’s cyberattack capabilities. … In May, cybersecurity authorities of Australia, Canada, New Zealand and the United Kingdom joined the U.S. agencies in issuing an advisory.

What’s their M.O.? Hacking routers, says Jonathan Greig—“US, Japan say ‘BlackTech’ Chinese gov’t hackers exploiting routers during attacks”:

Branch routers
A sophisticated hacking group tied to the government of China is exploiting routers in attacks on a variety of organizations … since 2010, according to the FBI, National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC). … The group has been seen modifying router firmware to conceal its activity.

BlackTech … — also known by names like Palmerworm, Circuit Panda, and Radio Panda — has been seen targeting government organizations as well as companies in the industrial, technology, media, electronics, and telecommunication sectors. … The group specifically targets “branch routers” — smaller appliances used at more remote branch offices to connect to a corporate headquarters. … The agencies said they have observed multiple Cisco versions targeted.

Déjà vu? Bill Toulas, too—“Chinese hackers backdooring Cisco routers”:

Prime targets
The targeting of network devices has seen an uptick over the past year, with Chinese-aligned threat actors also targeting Fortinet, TP-Link, and SonicWall network devices. … The US, UK, and Cisco warned in April of attacks on Cisco iOS devices by the Russian APT28 … state-sponsored hacking group.

As edge network devices do not commonly support EDR (Endpoint Detection and Response) security solutions, they are prime targets for threat actors. … Network admins must install all available security patches on edge devices as soon as they become available and not publicly expose management consoles.

Why are they so confident about it being Chinese-sponsored? Nowicki outlines a few reasons:

Infosec and blue team tactics do produce confident information about these things. Be it code elements that are similar, honey pots giving up the originating country, or many other aspects. These elements are not always divulged: … You don’t tell the criminals you know what Facebook group they use to plan their crimes.

Pinging CC servers from various points around the world can give you regional information that is useful. [And] even hackers make mistakes; … the US government is pretty savvy about picking up on that.

Sauce for the gander? Clausewitz4.0 thinks so:

Likely (sort of) a payback for another op. BTW, wasn’t it NSA who was caught messing with Cisco hardware while in-mail to clients, worldwide?

Yes, says thiagoharry:

This is also something that NSA does. … Nowadays it appears that there is no escape. It appears that there is always some backdoor in network hardware planted by one of the major countries.

What can be done? Brain-Fu quips thuswise:

All our base are belong to them. It is easy for government-backed actors to install backdoors in any foreign-made hardware, and cover it all up with … gag orders.

Of course, made-in-America tech would be no better. It would just be the American government doing the spying. They have the means, motive, and opportunity, so it would be irrational for them not to.

Of course, most people don’t care. Most people freely upload all kinds of sensitive information to their favorite social networks. Why would they care about China or AMD spying on their cat photos?

Get patching, IT pukes! jtwrenn is not optimistic:

When it comes to large companies, getting them to upgrade network hardware is oddly hard. I feel like bosses just won’t spend on it and techs hate doing it so they don’t push hard.

Meanwhile, let’s get real, urges drinkypoo:

Cisco is a defense contractor. The idea that they’re not working hand in hand with the NSA to perform unconstitutional spying is an absurd fantasy. Even if they didn’t want to, they could be forced to—in the interest of national security.

And Finally:

tl;dr: Six seconds

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Alejandro Luengo (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 672 posts and counting.See all posts by richi