An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Sept. 27, 2023

U.S. and Japanese Agencies Issue Advisory about China Linked Actors Hiding in Router Firmware

FORT MEADE, Md. - The National Security Agency (NSA), U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) are releasing the joint Cybersecurity Advisory (CSA) “People’s Republic of China-Linked Cyber Actors Hide in Router Firmware” about the activities of BlackTech cyber actors.
BlackTech, also known as Palmerworm, Temp. Overboard, Circuit Panda, and Radio Panda, has targeted government, industrial, technology, media, electronics, and telecommunication sectors. As a multinational threat linked to the People’s Republic of China (PRC), the actors have demonstrated capabilities in modifying router firmware without detection.
The CSA details tactics, techniques, and procedures (TTPs) used by BlackTech actors to compromise international subsidiaries, as well as recommended detection and mitigation techniques to defend against this threat. The CSA also highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential compromise. 
“Cyber actors look for the easiest way into their targeted network, like a thief checking vehicles for unlocked doors,” said Rob Joyce, NSA Cybersecurity Director. “Raising awareness of this malicious activities helps with not only hardening our defenses, but also those of our international allies, critical infrastructure, and private sector organizations.  We need to keep these actors out of our networks.”  

As indicated in the CSA, the BlackTech actors target network routers typically used at remote branch offices to connect to corporate networks. The actors have compromised several Cisco routers using variations of TTPs to conceal configuration changes, hide commands, disable logging, and pivot between international subsidiaries’ and domestic headquarters’ networks.
Some of the TTPs mentioned in the CSA and used by this actor group include modifying router firmware to establish backdoors and persistence, pivoting using internal routers, and living off the land tactics to blend in with normal operating system and network activities to evade endpoint detection and response (EDR) products. BlackTech has also used a range of custom malware to target Windows, Linux, and FreeBSD operating systems.
"Subsidiaries of multinational corporations are attractive targets for threat actors," said Joyce. "The security of these subsidiaries' IT environments are sometimes overlooked, posing a significant risk for the critical systems of their international partners. We need to continue to be vigilant and work together across international industry and government to effectively implement best practices to secure vital IT environments."

The authoring agencies recommend implementing the mitigations in the CSA to detect malicious activities and protect devices from being compromised by BlackTech actors.
For additional information and examples of similar actors and activities, see “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices” and “People’s Republic of China State-Sponsored Cyber Actors Living off the Land to Evade Detection.”

Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations