Executive Summary

On 27 September 2023, U.S. and Japanese government agencies released a joint cybersecurity advisory warning organizations of threat activity involving the compromise of router firmware. The advisory specifies that nation-state-sponsored threat actors, tracked as BlackTech, have demonstrated the ability to modify router firmware and “leverage domain-trust relationships” to target companies headquartered in Japan and the United States.

BlackTech is assessed as a highly sophisticated threat actor that uses custom malware and adopts living off the land tactics to conceal its actions. Although firmware exploits are less commonly compared to other cyberattacks, the activities from BlackTech pose a significant threat to network edge security, specifically targeting the application and network layers of the Open Systems Interconnection (OSI) model. BlackTech’s custom malware has been used to target multiple operating systems and their abilities to compromise router firmware have been used to target multiple Cisco network devices.

Attack Pattern

According to the government advisory, the attackers exploit the command line interface (CLI) of Cisco routers via the Secure Shell (SSH) protocol, likely taking advantage of misconfigured or insecure policies. Once inside, the BlackTech actors exploit trusted network connections to acquire administrative privileges. Analysis reveals that the attackers target branch routers, which are smaller devices used to connect remote offices to an organization’s headquarters. This technique not only obfuscates network traffic but also expands their target base.

BlackTech employs a combination of legitimate old firmware, altered firmware, and modified bootloaders, which are downloaded to the router via File Transfer Protocol (FTP) or SSH injection. This enables the automatic installation of modified firmware images on the router through a boot sequence, thereby evading endpoint detection. This presents a significant challenge for network defenders due to the automated nature of routers and the time-consuming, often manual process needed for updating firmware on network devices.

Living off the Land and Custom Malware

The use of SSH and FTP network administration protocols as an integral part of the attack pattern is indicative of living off the land techniques, which are highly effective at evading detection and maintaining persistent access. BlackTech is the latest advanced persistent threat (APT) to adopt these techniques, joining the likes of fellow state-sponsored actors BianLian and Volt Typhoon. To facilitate this activity, BlackTech employs a suite of malware families, including custom malware binaries capable of disabling router functionality and implementing “hot patches” on compromised routers, thereby modifying firmware without necessitating a device reboot. The Cybersecurity and Infrastructure Security Agency (CISA) noted in their advisory that “Blacktech actors have compromised several Cisco routers” using this customized firmware backdoor exploit.

Cisco Routers and Space Applications

Given the challenges in detecting signatures directly on the router, CISA recommends that network defenders examine inbound traffic and other network devices for bootloader and firmware image downloads. The growing necessity for network task automation makes such exploits a substantial concern for the space industry. Cisco is one of the most renowned vendors for network equipment, and as such is classed as a trusted player in IT acquisition across the DOD. Routers are a key component for satellite architecture baselines, used in network operations centers, data management facilities, and at the user level, where customers route satellite internet traffic to other network devices. Cisco embedded series routers cater to the defense and aerospace sectors by offering a “highly programmable” baseline suitable for advanced satellite networks.

The recent campaign by BlackTech, involving sophisticated exploits of router firmware, poses a significant threat to network security, particularly in the defense and aerospace sectors. The widespread targeting of trusted network equipment vendors, like Cisco, underscores the urgent need for vigilant network defense strategies and robust detection and mitigation measures.

Read more from Space ISAC.