Hackers Chinois Cisco Routers
Hackers of Chinese origin modify the firmware of Cisco routers to break into corporate networks. Discover how Freemindtronic offers you efficient and secure encryption solutions.
How Chinese hackers infiltrate corporate networks via Cisco routers
A Chinese-backed hacker group, known as BlackTech, has managed to compromise corporate networks around the world by exploiting vulnerabilities in Cisco routers. The hackers have modified the firmware of the routers to install backdoors that allow them to access sensitive data, redirect traffic to malicious servers and hide their tracks.
How does BlackTech operate?
According to a joint report by several cybersecurity and law enforcement agencies in the US and Japan, including the FBI, the NSA and the NISC, BlackTech has been active since at least 2010 and targets mainly sectors such as administration, industry, technology, media, telecommunications and defense. The group first attacks the international subsidiaries of the companies before moving up to the headquarters in the US and Japan.
To get into the networks, BlackTech uses custom malware, dual-use tools and masking tactics, such as disabling logging on the routers, to avoid being detected.
The key point of the attack is the modification of the firmware of the Cisco routers, the embedded software that controls the operation of the devices. BlackTech replaces the official firmware with a corrupted version that contains a backdoor. This backdoor allows the hackers to connect to the router at any time, change its configuration, execute commands and redirect traffic to their servers.
What are the risks and consequences of the attack of the Chinese hackers Cisco routers who use malicious firmware?
The attack by BlackTech poses a serious threat to the security of the targeted companies and organizations. Indeed, the hackers can access confidential information, such as trade secrets, personal data or strategic documents. They can also disrupt the operation of the networks, by causing outages, slowdowns or errors. Finally, they can use the compromised networks as relays to launch other attacks or to spread malware.
The report by the cybersecurity and law enforcement agencies recommends the companies to check the integrity of their Cisco routers, update their firmware, strengthen their security measures and monitor their network traffic. The report also suggests adopting a zero trust security model, which consists of trusting no element of the network and systematically verifying the identity and permissions of the users and devices.
What are the motivations and objectives of BlackTech?
BlackTech is considered as a cyberespionage group backed by China. Its motivations and objectives are therefore probably related to the political, economic and military interests of Beijing. The group seeks to collect information useful for China, to weaken its competitors and adversaries, and to strengthen its influence and power in the world.
BlackTech is not the only Chinese hacker group to target corporate networks. Other groups, such as APT10, APT41 or Winnti, have been identified by cybersecurity experts as actors of cyberespionage on behalf of China. These groups use various techniques, such as phishing, certificate theft or software vulnerabilities, to infiltrate the networks and steal data.
China denies any involvement in these cyberespionage activities and accuses the US of conducting cyberattacks against it. The tensions between the two countries are high on the diplomatic, trade and technological fronts. Cyberwar is one of the strategic challenges of the 21st century.
What are the vulnerabilities exploited by BlackTech?
The report by the cybersecurity and law enforcement agencies does not specify which are the exact vulnerabilities exploited by BlackTech to modify the firmware of the Cisco routers. However, there are several known flaws that affect the routers of the American brand and that could be used by the hackers.
For example, in 2019, Cisco published a security bulletin to warn its customers of a critical vulnerability in the Secure Boot protocol of some of its routers. This vulnerability, named Thrangrycat, allows an attacker with physical or logical access to the router to modify the firmware and install persistent malicious code.
In 2020, Cisco also revealed the existence of a vulnerability in the SNMP (Simple Network Management Protocol) network management protocol of some of its routers. This vulnerability, named CDPwn, allows an attacker located on the same local network as the router to send malformed packets and cause remote code execution.
Another recent example, chinese hackers Cisco routers exploit F5 BIG-IP vulnerability A state-backed hacking group from China, known as BlackTech (September 2023), modifies the firmware of Cisco routers (not directly affected by the vulnerability) to gain access to the networks of US and Japanese companies. The hackers exploit a critical vulnerability (CVE-2022-1388) in F5 BIG-IP devices that allows them to execute arbitrary commands and install a backdoor. Cisco has released a security alert for its customers who use F5 BIG-IP devices in their infrastructure and recommends them to follow the instructions of F5 to apply the patch or the mitigation measures (Cisco Security Advisory). F5 has released a patch for this vulnerability (K23605346) for all affected versions, except 12.1.x and 11.6.x versions, which are end of life. Users and administrators are urged to apply the patch as soon as possible to prevent malicious cyber operations.
These two examples show that Cisco routers are not immune to security flaws that can be exploited by malicious hackers. It is therefore essential for companies to stay informed of security updates and apply them quickly to protect their networks.
The global attack of the Chinese hackers Cisco routers: what is its scope and impact?
It is difficult to assess the scope and impact of this attack at the global level, as the victims are not always aware or willing to reveal that they have been compromised. Nevertheless, it is possible to rely on some clues to get an idea.
According to the report by the cybersecurity and law enforcement agencies, BlackTech has targeted companies and organizations located in several countries, including the US, Japan, Hong Kong, Taiwan, Australia, Germany, France, Italy, Spain, Switzerland, Sweden, Norway, Finland, Belgium, Austria, Czech Republic, Poland, Romania, Slovakia, Hungary, Bulgaria, Greece, Turkey, Israel, India, South Korea, Thailand, Malaysia, Indonesia, Vietnam, Philippines, Brazil, Mexico, Chile, Colombia, Argentina, South Africa, Egypt, Morocco, Algeria, Tunisia, Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Iran, Iraq, Syria, Lebanon, Jordan, Palestine, Pakistan, Bangladesh, Nepal, Sri Lanka, Cambodia, Laos, Myanmar, Singapore, New Zealand, Canada and the UK.
This shows that BlackTech has a global reach and can potentially affect thousands of companies and organizations in various fields. The impact of this attack can be considerable, both economically and security-wise. The hackers can steal strategic information, disrupt essential services, compromise critical infrastructures, harm the reputation of the victims, cause financial damage, or facilitate other forms of cybercrime, such as ransomware, identity theft, fraud, espionage or sabotage.
According to a study by the consulting firm Accenture, the average cost of a cyberattack for a company is 13 million dollars, an increase of 72% since 2014. The study also estimates that cyberattacks have a negative impact on customer trust, employee retention, product and service quality, and operational performance of companies.
Moreover, according to a report by the Center for Strategic and International Studies (CSIS) and the company McAfee, the global cost of cybercrime for the world economy is 600 billion dollars per year, or 0.8% of the global gross domestic product (GDP). The report highlights that cybercrime affects not only companies, but also governments, citizens, non-governmental organizations, and international institutions.
How to protect yourself with Freemindtronic’s technologies?
Among the solutions available on the market to protect against attacks by BlackTech or other hacker groups are innovative products developed by the Andorran company Freemindtronic, which use its NFC HSM and HSM OpenPGP technologies to secure sensitive data and encryption keys. These products are:
- EviCore NFC HSM, which turns your smartphone, tablet or computer into a hardware security module (HSM) compatible with the OpenPGP standard. It allows you to store, manage and use your encryption keys and secrets with ease and confidentiality, without using a specific secure storage device.
- EviCore HSM OpenPGP, which turns your smartphone, tablet or computer into a hardware security module (HSM) compatible with the OpenPGP standard. It allows you to store, manage and use your encryption keys and secrets with ease and confidentiality, without using a specific secure storage device. EviCore HSM OpenPGP is an innovation by Freemindtronic that received the Fortress 2023 award for the best encryption solution.
- EviPass NFC HSM, which allows you to manage your passwords and identifiers in a secure and convenient way. It uses NFC technology to communicate with your smartphone, tablet or computer, and to authenticate you on websites and applications without having to enter or remember your passwords.
- EviOTP NFC HSM, which allows you to generate one-time passwords (OTP) to enhance the security of your online accounts. It uses NFC technology to communicate with your smartphone, tablet or computer, and to provide you with a 6-digit code whenever you need it.
- EviCypher NFC HSM, which allows you to encrypt and decrypt your sensitive data with a high level of security. It uses NFC technology to communicate with your smartphone, tablet or computer, and to allow you to encrypt and decrypt your files, messages, emails or notes with a simple gesture.
These technologies can have several benefits for businesses that face the attacks of BlackTech or other hacker groups, by offering enhanced protection of data and encryption keys, as well as strong and convenient authentication. They can also reduce the risks of loss, theft or corruption of data, by using resistant and reliable devices.
Update Cisco Router 2023 clic here