Press Release

CISA, NSA, FBI and Japan Release Advisory Warning of BlackTech, PRC-Linked Cyber Activity

Advisory helps organizations protect against PRC-linked actors hiding in router firmware
Released

WASHINGTON - The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Japan National Police Agency (NPA), and Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) published a Joint Cybersecurity Advisory (CSA) today about malicious activity by People’s Republic of China (PRC)-linked cyber actors known as BlackTech, which have demonstrated capabilities to modify router firmware without detection and exploit routers’ domain-trust relationships. The authoring agencies have observed PRC-linked cyber actors leveraging this exploitation of routers to pivot from global subsidiary companies to corporate headquarter networks in the U.S. and Japan.  

BlackTech actors have targeted government, industrial, technology, media, electronics, telecommunication, and defense industrial base sectors. These actors are targeting Windows, Linux, and FreeBSD operating systems using remote access tools (RATs) and several different custom malware payloads, such as BendyBear, FakeDead, and FlagPro, along with using living off the land technique to evade detection and blend in with normal operations and activities and appear legitimate.  

“With our U.S. and international partners, CISA continues to call urgent attention to China’s sophisticated and aggressive global cyber operations to gain persistent access and, in the case of BlackTech actors, steal intellectual property and sensitive data,” said Eric Goldstein, Executive Assistant Director for Cybersecurity. “Today’s joint advisory with our partners in Japan highlights our extensive and persistent collaboration to provide actionable and timely guidance to businesses, government and critical infrastructure. BlackTech activity targets a wide range of public organizations and private industries across the U.S. and East Asia. We encourage all organizations to review the advisory, take action to mitigate risk, report any evidence of anomalous activity, and continue to visit cisa.gov/china for ongoing updates about the heightened risk posed by PRC cyber acotrs.” 

With partners in the NSA, FBI, and Government of Japan, CISA urges critical infrastructure and private sector organizations to apply the recommended mitigations in this advisory to strengthen their cyber defenses and reduce threat of compromise from BlackTech.  

For more information on PRC cyber threat, see the CSA People's Republic of China-Linked Cyber Actors Hide in Router Firmware and visit China Cyber Threat Overview and Advisories

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on TwitterFacebookLinkedIn, Instagram