The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Japan National Police Agency (NPA) and Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) recently published a Joint Cybersecurity Advisory (CSA) about malicious activity by People’s Republic of China (PRC)-linked cyber actors known as BlackTech, which have demonstrated capabilities to modify router firmware without detection and exploit routers’ domain-trust relationships. The authoring agencies have observed PRC-linked cyber actors leveraging this exploitation of routers to pivot from global subsidiary companies to corporate headquarter networks in the U.S. and Japan.  

The advisory details activity by these cyber actors and provides BlackTech tactics, techniques and procedures (TTPs) and urges multinational corporations to review all subsidiary connections, verify access and consider implementing zero trust models to limit the extent of a potential BlackTech compromise.

BlackTech actors have targeted government, industrial, technology, media, electronics, telecommunication and defense industrial base sectors. These actors are targeting Windows, Linux and FreeBSD operating systems using remote access tools (RATs) and several different custom malware payloads, such as BendyBear, FakeDead and FlagPro, along with using living off the land technique to evade detection and blend in with normal operations and activities and appear legitimate.