Last Wednesday, Microsoft issued a warning claiming Chinese state-sponsored hackers have compromised “critical” cyber infrastructure in a variety of industries, including government and communications organizations.
“The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon,” said a statement released by authorities in the US, Australia, Canada, New Zealand and the UK – countries that make up the Five Eyes intelligence network.
In this advisory, and on an accompanying blog post by Microsoft, it is described that Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet.
Network Devices on Target: Not for the first time
Attacks originating from Chinese based cyber-espionage groups are not new to Check Point Research and the cyber security community. Chinese APT groups like Volt Typhoon have a history of sophisticated cyber-espionage campaigns. Their primary motivation is often strategic intelligence gathering, targeted disruption, or simply asserting a foothold in networks for future operations. The recent advisory pinpoints a variety of techniques employed by these threat actors, but of particular interest is their focus on “living off the land” and the exploitation of network devices such as routers.
Just recently, In our latest report, we’ve uncovered that over the past few months, Check Point Research (CPR) has closely monitored a series of targeted attacks aimed at European foreign affairs entities. These campaigns have been linked to a Chinese state-sponsored APT group we track as Camaro Dragon, which shares similarities with previously reported activities conducted by state-sponsored Chinese threat actors, namely Mustang Panda.
Our comprehensive analysis of these attacks has uncovered a malicious firmware implant tailored for TP-Link routers. The implant features several malicious components, including a custom backdoor named “Horse Shell” that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks.
US isn’t the sole Espionage target
Back In March 2023 we unraveled a spotlight on Chinese origined espionage attacks against southeast Asian government entities, in particular nations with similar territorial claims or strategic infrastructure projects such as Vietnam, Thailand, and Indonesia.
On July 2021, CERT-FR reported a large campaign conducted by the Chinese-affiliated threat actor APT31. They discovered that the actor used a mesh network of compromised routers orchestrated using malware they dubbed “Pakdoor”.
In a previous CISA advisory from 2021, they listed common techniques utilized by Chinese Sponsored APTs. Among them they mention the attackers targeting of vulnerable routers as part of their operational infrastructure to evade detection and host Command and Control activity.
Why are these edge devices a focal point of their attack strategy?
In recent years we see Chinese threat actors’ increasing interest in compromising edge devices, aiming to both build resilient and more anonymous C&C infrastructures and to gain a foothold in certain targeted networks.
Network devices, like routers, often considered the perimeter of an organization’s digital estate, serve as the first point of contact for internet-based communication. They are responsible for routing and managing network traffic, both legitimate and potentially malicious. By compromising these devices, the attackers can blend their traffic with legitimate communications, making detection significantly more challenging. These devices, when reconfigured or compromised, also allow attackers to tunnel communications through the network, effectively anonymizing their traffic and evading traditional detection methods.
This strategy also complements Volt Typhoon’s “living off the land” approach. Rather than using malware, which can be detected by many modern security systems, these actors leverage built-in network administration tools like wmic, ntdsutil, netsh, and PowerShell. The malicious activities get lost in the sea of benign administrative tasks, making it difficult for defenders to identify the attackers amidst legitimate users.
Such techniques also allow the APT group to maintain persistence within the network. The compromise of Small Office/Home Office (SOHO) network devices can be used as intermediate infrastructure to hide their true origin and retain control over a network even if other elements of their operation are discovered and removed. A hidden foothold is a powerful tool for an APT, allowing a second wave of attacks or data exfiltration even after an organization believes the threat has been eliminated.
Firmware-agnostic nature of attacks
Our discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk. We hope that our research will contribute to improving the security posture of organizations and individuals alike. In the meantime, remember to keep your network devices updated and secured, and beware of any suspicious activity on your network
Protecting Your Network
The discovery of recent espionage attacks highlights the importance of taking protective measures against similar attacks. Here are some recommendations for detection and protection:
- Software Updates
Regularly updating the firmware and software of routers and other devices is crucial for preventing vulnerabilities that attackers may exploit. - Up-to-Date Patches
Keeping computers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks as such patches are usually overlooked or delayed too long to offer the required protection. - Default Credentials
Change the default login credentials of any device connected to the internet to stronger passwords and use multi-factor authentication whenever possible. Attackers often scan the internet for devices that still use default or weak credentials. - Threat Prevention is crucial
Check Point’s network security solutions provide advanced threat prevention and real-time network protection against sophisticated attacks like those used by the Camaro Dragon APT group. This includes protection against exploits, malware, and other advanced threats. Check Point’s Quantum IoT Protect automatically identifies and maps IoT devices and assesses the risk, prevents unauthorized access to and from IoT/OT devices with zero-trust profiling and segmentation, and blocks attacks against IoT devices.
Manufacturers can do better to secure their devices against malware and cyberattacks. New regulations in the US and in Europe require vendors and manufacturers to ensure that devices do not pose risks to users and to include security features inside the device.
Check Point IoT Embedded with Nano Agent® provides on-device runtime protection enabling connected devices with built-in firmware security. The Nano Agent® is a customized package which provides the top security capabilities and prevents malicious activity on routers, network devices and other IoT devices. Check Point IoT Nano Agent® has advanced capabilities of memory protection, anomaly detection, and control flow integrity. It operates inside the device and serves as a frontline to secure IoT devices.