Older Cisco routers are an attractive target for Chinese hackers, according to a new joint cybersecurity advisory from CISA and others. One of the country’s state-backed advanced persistent threat groups is looking at routers at less well-defended international branches as a reliable means of penetrating corporate networks, though it does not appear they are exploiting a particular vulnerability. Rather, they are exploiting older models that make it easier for a custom firmware with a backdoor in it to be installed for long-term stealth exfiltration of information.
Chinese APT group targets legacy routers that lack security features
The report does not mention particular Cisco router models, as it does not appear to be a systemic vulnerability that the Chinese hackers are targeting. Instead, they first obtain some sort of administrator credentials by some usual means such as phishing. They then use these to hone in on older, legacy router types that do not have a more modern built-in security feature that prevents this type of bootloading attack.
The key first step is to downgrade the router to an older version of the firmware, something these older routers allow with a high enough administrative clearance. The Chinese hackers can then install their custom firmware, providing a stealth backdoor that is highly resistant to scrutiny.
The Chinese hackers are ultimately after US and Japanese corporations, particularly those involved with military tech, but will target edge routers in other countries (primarily at international subsidiaries) as a means of getting in. Once they take over a router with a trusted relationship, they’re on their way into the corporate network.
As this is not technically a device or software vulnerability, there is not a patch for the issue. CISA instead provides a variety of mitigation advice for potentially vulnerable routers, such as limiting allowed IP addresses to those used by network admins and using isolated VLANs for administrative systems. But ultimately, the simplest fix is to update hardware (wherever possible) to a newer and more resistant model that does not allow users to roll back to old firmware versions that are potentially vulnerable.
Chinese hackers are decade-old APT group specializing in stealing tech
The report refers to the Chinese hackers as “BlackTech,” a known APT group that has been active since at least 2010. As with many of China’s APT teams, the group focuses on particular regions (the US and East Asia) and has a particular purpose (stealing technology, mostly from private industry associated with militaries).
The custom firmware attacks are far from the group’s only approach; the Chinese hackers target Windows, Linux and FreeBSD systems with a variety of unique malware that is difficult to detect. The group was notorious for compromising targets in Taiwan into the mid-2010s before seemingly switching focus to breaching US and Japanese companies in more recent years.
The report notes that though the group has seemingly hit a groove with older Cisco routers as of late, the custom firmware attack could theoretically be repurposed for a variety of other router types.