China APT Cracks Cisco Firmware in Attacks Against the US and Japan

Sophisticated hackers are rewriting router firmware in real time and hiding their footprints, leaving defenders with hardly a fighting chance.

An old Chinese state-linked threat actor has been quietly manipulating Cisco routers to breach multinational organizations in the US and Japan.
BlackTech (aka Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda)
has been replacing device firmware with its own malicious version, in order to establish persistence and pivot from smaller, international subsidiaries to headquarters of affected organizations. Those organizations have thus far spanned government, industrial, technology, media, electronics, and telecommunication sectors, and include entities that support the militaries of the U.S. and Japan, according to
a new joint cybersecurity advisory
from the National Security Agency (NSA), FBI, and Cybersecurity and Infrastructure Security Agency (CISA), as well as Japanese national police and cybersecurity authorities.
The advisory does not detail any specific CVE affecting Cisco routers. Instead, it explains, this TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.
Cisco has not yet responded to Dark Readings request for comment.
According to Tom Pace, former Department of Energy head of cyber and now CEO of NetRise, it speaks to a more endemic problem in edge security. If we get our hands on a firmware image from Cisco, Juniper, Huawei, Arista — it doesnt matter who it is, he says. The same problems persist across all device manufacturers and all verticals.
Cisco routers have been subject to
compromise and IP theft
ever since the company first
helped China build its national Internet censorship apparatus
— the so-called Great Firewall — at the turn of the century. BlackTech, around since 2010, has taken the tradition a step further.
The group possesses 12 different custom malware families for penetrating and staking a foothold inside of Windows, Linux, and FreeBSD operating systems. They are lent an air of legitimacy by code-signing certificates and are constantly updated in order to evade antivirus detection.
Once firmly planted in target networks, BlackTech uses
living-off-the-land (LotL)-style tools
for evading endpoint detection, including NetCat shells, the Secure Shell Protocol (SSH), and the Remote Desktop Protocol (RDP).
BlackTechs ultimate goal is to escalate within the target network until it obtains administrator privileges over vulnerable network routers. This is where it distinguishes itself from other threat actors.
Specifically, BlackTech aims for routers at smaller, remote branches of larger organizations where security may be a bit more lax, using their connection to an organizations primary IT network to blend in with wider network traffic, and potentially pivot to other victims within the organization.
To cement control over the routers and conceal its many malicious activities, the group performs a downgrade attack.
First, it installs an old version of the routers firmware. Cisco allows anyone with certain privileges on the device to downgrade the OS image and firmware, Alex Matrosov, CEO and head of research at Binarly, explained in a statement provided to Dark Reading.
To gain persistence in this case, an attacker needs an authentication bypass vulnerability to modify the firmware image to deliver malicious code on the device, he added. The joint advisory did not allude to any specific vulnerability, though Matrosov pointed to
CVE-2023-20082
, a Medium 6.8 CVSS-scored bug in Cisco Catalyst switches as a comparable example.
BlackTech then hot patches the old firmware in memory, modifying it without the need for a shutdown reboot and enabling the installation of a bootloader and its own, malicious firmware with a built-in SSH backdoor.
Pace offers an analogy, for those not yet sufficiently impressed. Imagine if youre on a computer, and a threat actor replaces your entire Windows operating system, and no one knows the difference. Well, thatd be wild, wouldnt it?
The advisory offers certain steps companies can take to mitigate against BlackTechs TTPs, such as monitoring inbound and outbound connections with network devices, reviewing logs and any changes to firmware, and diligent password hygiene. But to Pace, these are just Band-Aids for a deeper issue in edge security.
If you look at laptops, desktops, servers: We have a litany of visibility solutions — technologies that can answer questions about whats going on on those devices in a very clear way. But we dont view these edge devices in the same way, because there arent users on them. And so we dont provide the same level of monitoring across these devices, he explains.
Unless device manufacturers significantly upgrade their security, or customers significantly invest in this area traditionally overlooked, he thinks, this kind of story will repeat itself.
This is a decade-long problem. Bare minimum. If not, probably 15, 20 years, he predicts.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
China APT Cracks Cisco Firmware in Attacks Against the US and Japan