Researchers have found new developments surrounding the notorious BlackTech APT group. The APT group has been conducting cyber espionage operations targeting Japanese, Taiwanese, and Hong Kong-based organizations since 2010.
Being a Chinese state-sponsored advanced persistent threat (APT) entity, the BlackTech APT group has been providing sensitive information to the Chinese government using its cyber attacks on the US, and other nations.
Since their emergence over a decade ago, BlackTech APT hackers have left a trail of cyber-attacks across various sectors, including government, industry, technology, media, electronics, telecommunications, and defense.
The tactics of BlackTech APT group
Employing a sophisticated blend of custom-made malware, versatile tools, and strategic maneuvers, such as disabling data recording on routers, they adeptly obfuscate their activities.
Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Japan’s National Police Agency (NPA) shared insights into the BlackTech APT group.
The report shared the group’s capability to discreetly manipulate router firmware and exploit domain-trust relationships within networks. This allowed them to pivot from international subsidiaries to central headquarters in Japan and the U.S.
Another feature of the BlackTech APT group is the ongoing evolution of tools to evade detection. They also steal code-signing certificates, providing their malware an appearance of legitimacy.
Utilizing an array of custom malware payloads and remote access tools (RATs) compatible with Windows, Linux, and FreeBSD operating systems, the group blends seamlessly with standard network activities and operating systems using living off-the-land techniques.
This successful integration evades detection by endpoint detection and response (EDR) products.
BlackTech APT group: More than just a threat actor!
The BlackTech APT group has emerged as a formidable cyber threat that extends beyond conventional boundaries.
BlackTech exhibits a distinct preference for various router brands and versions, with a notable emphasis on Cisco routers.
Within Cisco’s infrastructure, the group adeptly conceals its presence within Embedded Event Manager (EEM) policies. This integral component of Cisco IOS is responsible for automating tasks triggered by specific events.
To counter this evolving threat, CISA and NPA have outlined a series of mitigation steps. Network defenders are strongly advised to maintain vigilance for any signs of anomalous traffic patterns, unauthorized downloads of bootloaders, firmware images, and unusual reboots. These indicators may be early warnings of BlackTech’s presence within a network.
BlackTech’s cyber activities have not gone unnoticed. In 2020, Taiwan’s security authority reported cyberattacks targeting approximately 6,000 government officials’ email accounts. Both BlackTech and another hacking group, Taidoor, were identified as likely backed by the Chinese Communist Party. This revelation underscores the persistent nature of BlackTech’s operations.
Against the backdrop of escalating U.S.-China tensions, particularly regarding issues surrounding Taiwan, U.S. security officials have amplified their warnings about China’s formidable cyber capabilities. FBI Chief Chris Wray recently emphasized that China possesses a hacking program that surpasses the combined efforts of other major nations.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
