A number of intelligence agencies and agencies, such as the NSA and FBI, as well as US and Japanese law enforcement, jointly released a comprehensive report explaining the scope and severity of this threat. The report identified several types of malware designed by the hacking group to attack various operating systems, including Windows, Linux, and FreeBSD, including BendyBear, Bifrose, SpiderPig, and WaterBear.

The group responsible for these cyberattacks, known as BlackTech or by aliases such as Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been involved in this activity since 2010.

How do hackers work?

• BlackTech’s modus operandi is to infiltrate corporate subsidiaries in small towns.
• To do this, they often use potentially weaker protection systems.
• Hackers who gain access to these local networks refocus on the host organizations’ networks.

Its targets include the public sector, state-owned companies and companies operating in sectors such as information technology, telecommunications and electronics.

Secret services don’t yet know how hackers achieved this

The exact methods used by BlackTech to gain initial access to victim devices, ranging from stealing employee credentials to using highly sophisticated zero-day vulnerabilities, were not disclosed.

• Once on target systems, cybercriminals use a technique known as “hot patching” to modify firmware in memory; This is an important step in installing a compromised bootloader and firmware.
• This modified firmware allows hackers to bypass router security, install hidden backdoors in system logs without leaving a trace, and override access control lists (ACLs).

BlackTech uses a number of tactics to avoid detection, including disabling recording on compromised devices and using stolen code signing certificates to sign ROM files.

The group also uses special UDP and TCP packets to enable and disable SSH backdoors on Cisco routers at unpredictable intervals, further hiding their activities from system administrators.

The situation is further complicated by the fact that Cisco has come under fire for not supporting its older hardware and ignoring known vulnerabilities in its routers. Specifically, Cisco has refused to release patches for dangerous vulnerabilities such as: CVE-2022-20923 and CVE-2023-20025, on routers that have already exhausted their support life cycle. Such solutions create additional risks for users and open opportunities for cybercriminals.