Last Wednesday, Microsoft issued warning claiming that state-backed Chinese hackers have breached "critical" cyber infrastructure in various industries, including government and communications organizations.
"The United States and international cybersecurity authorities are issuing this joint cybersecurity advisory (CSA) to highlight the newly discovered group associated with a state-sponsored cyber agent of the People's Republic of China (PRC), also known as Volt Typhoon," refers to a statement issued by the authorities of the US, Australia, Canada, New Zealand and the United Kingdom – countries that make up the Five Eyes intelligence network.
In this recommendation, and in an accompanying one suspension on Microsoft's blog, it is described that Volt Typhoon forwards all its network traffic to its targets via mediation through compromised SOHO network edge devices (including routers). Many of the devices, including those made by ASUS, Cisco, D-Link, NETGEAR and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet.
Target Network Devices: Not for the first time
Attacks originating from China-based cyberespionage groups are nothing new to Check Point Research and the cybersecurity community. Chinese APT groups such as Volt Typhoon have a history of sophisticated cyberespionage campaigns. Their primary motivation is often to gather strategic intelligence, target disruption, or simply confirm a position in networks for future operations. The recent announcement identifies a variety of techniques used by these threat actors, but of particular interest is their focus on "living off the ground" and exploiting network devices such as routers.
Recently, in the last one of report, Check Point Research (CPR) revealedε that in recent months watches ptena a series of targeted attacks on European foreign affairs bodies. These campaigns have been linked to a Chinese state-sponsored APT group that watch as Camaro Dragon, which shares similarities with the previously mentioned activities που are conducted by state-sponsored Chinese threat actors, namely Mustang Panda.
Comprehensive analysis of these attacks revealed a malicious firmware patch tailored for TP-Link routers. The implant features several malicious components, including a custom backdoor named “Horse Shell” that allows attackers to maintain permanent access, create anonymous infrastructure, and allow lateral movement into compromised networks.
The US is not the only target of espionage
In March 2023, we unraveled the tangle of Chinese-origin espionage attacks against government entities in Southeast Asia, particularly nations with similar territorial claims or strategic infrastructure projects, such as Vietnam, Thailand, and Indonesia.
In July 2021, the CERT-FR reported a major campaign conducted by the Chinese threat actor APT31. They discovered that the attacker was using a mesh network of compromised routers that were orchestrated using malware they called “Pakdoor”.
In a previous one recommendation of CISA from 2021, listed common techniques used by Chinese-sponsored APTs. Among them they state that attackers target vulnerable routers as part of their operational infrastructure to avoid detection and host Command and Control activity.
Why are edge devices central to the attack strategy?
Recent years have seen the growing interest of Chinese threat actors in compromising endpoint devices, with the goal of both creating resilient and more anonymous C&C infrastructures and gaining footholds in certain targeted networks.
Often considered the perimeter of an organization's digital estate, network devices such as routers serve as the first point of contact for Internet communication. They are responsible for routing and managing network traffic, both legitimate and potentially malicious. By compromising these devices, attackers can mix their traffic with legitimate communications, making detection significantly more difficult. These devices, when reset or compromised, also allow attackers to funnel communications through the network, effectively anonymizing their traffic and avoiding traditional detection methods.
This strategy also complements Volt Typhoon's “living except Earthς". Instead of using malware, which can be detected by many modern security systems, these actors use built-in network management tools such as wmic, ntdsutil, netsh, and PowerShell. Malicious activities get lost in the sea of benign management tasks, making it difficult for defenders to spot attackers among legitimate users.
Such techniques also allow the APT team to maintain its persistence on the network. Hacking Small Office/Home Office (SOHO) network devices can be used as an intermediate infrastructure to hide their true origin and maintain control of a network even if other elements of their operation are discovered and removed. A backdoor is a powerful tool for an APT, allowing a second wave of attacks or data leakage even when an organization believes the threat has been neutralized.
The firmware-agnostic nature of the attacks
The discovery of the diagnostic nature of the firmware of the implanted components indicates that a wide range of devices and vendors may be at risk.
In addition, the discovery of the diagnostic nature of the firmware of the implanted components indicates that a wide range of devices and vendors may be at risk. We hope that our research will help improve the security posture of both organizations and individuals. In the meantime, remember to keep your network devices up-to-date and secure and watch out for any suspicious activity on your network
Protecting your network
The revelation of recent spyware attacks highlights the importance of taking measures to protect against similar attacks. Here are some recommendations for detection and protection:
Regularly updating the firmware and software of routers and other devices is critical to preventing vulnerabilities that attackers can exploit.
Keeping computers up-to-date and applying security patches, especially those designated as critical, can help reduce an organization's vulnerability to ransomware attacks, as these patches are often overlooked or too late to provide the required protection.
Change the default login credentials of any internet-connected device to stronger passwords and use multi-factor authentication whenever possible. Attackers often scan the internet for devices that still using default or weak credentials.
Of Vital Importance is Pcapture Threats
Check Point's network security solutions provide advanced threat prevention and real-time network protection against sophisticated attacks like those used by the Camaro Dragon APT team. This includes protection against exploits, malware and other advanced threats. The Quantum IoT Protect by Check Point automatically detects and maps IoT devices and assesses risk, prevents unauthorized access to and from IoT/OT devices with zero-trust profiling and segmentation, and prevents attacks against IoT devices.
Manufacturers can better secure their devices from malware and cyberattacks. New regulations in the US and Europe require vendors and manufacturers to ensure that devices do not pose risks to users and to include safety features inside the device.