US and Japanese authorities [5] [6], including the United States National Security Agency (NSA) [2], the U.S. [1] [2] [5] Federal Bureau of Investigation (FBI) [2], the U.S. [1] [2] [5] Cybersecurity and Infrastructure Security Agency (CISA) [2], the Japan National Police Agency (NPA) [2], and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) [2], have issued a joint advisory warning multinational corporations about a state-backed hacking group called BlackTech. This group [1] [3] [4] [6], also known as Circuit Panda, Palmerworm [3], and Temp.Overboard [3], has been conducting cyber-espionage attacks on companies in Japan [1], the US [1] [2] [5], and East Asia since around 2010. BlackTech targets various sectors [2], including government [1] [2] [4], industrial [1] [2] [4] [5], technology [1] [2] [3] [4] [5], media [1] [2] [4] [5], electronics [1] [2] [4] [5], telecommunication [1] [2] [4] [5], and defense [4].


BlackTech has the ability to modify router firmware undetected and exploit routers’ domain-trust relationships to gain access to networks [1] [2] [6]. They achieve this by tampering with routers from vendors like Cisco, modifying their firmware [1] [2] [4] [6], and exploiting their trusted relationship within the corporate network to expand their access [4]. The group can install older but legitimate firmware on the routers [4], which is then modified to enable the installation of a modified and unsigned bootloader and firmware [4]. This allows them to blend in with corporate network traffic and pivot to other victims on the same network [4].

BlackTech is known for using spear-phishing emails with backdoor-laden attachments to deploy malware and steal sensitive data [1]. They also exploit vulnerable routers for use as command-and-control servers [1]. The group has been linked to a malware named EYEWELL, primarily targeting Taiwanese government and technology targets [1]. BlackTech has the capability to develop customized malware and tailored persistence mechanisms [1].

The advisory recommends implementing mitigations to detect and protect against BlackTech’s activities [2], including considering the implementation of Zero Trust models [2]. It emphasizes the importance of multinational corporations reviewing subsidiary connections and verifying access [2] [5].

US security officials have expressed concerns about China’s cyberattack capabilities [6], with the FBI chief stating that China has a larger hacking program than any other major nation [6]. Japan [1] [2] [3] [5] [6], a key US ally in East Asia [6], was allegedly attacked by Chinese military hackers in 2020 [6].

In its latest campaign [3], BlackTech is specifically targeting network devices, such as routers [3], located at branch offices to gain access to larger corporate networks [3]. The group has developed a customized firmware backdoor for Cisco routers that allows them to maintain access without detection [3]. They achieve this by installing an older [3], legitimate firmware version and modifying it in memory to install their malicious firmware [3]. BlackTech also deploys a range of custom malware payloads and remote access tools [3], including BendyBear [3], FakeDead (also known as TSCookie) [3], and Flagpro [3]. The group also utilizes Windows utilities as part of their attack strategy [3].


The activities of BlackTech [2], a state-backed hacking group [1], pose a significant threat to multinational corporations in Japan, the US [1] [2] [5], and East Asia [1] [3] [4] [6]. Their ability to modify router firmware undetected and exploit trusted relationships within corporate networks allows them to conduct cyber-espionage attacks across various sectors. Implementing mitigations [2], such as Zero Trust models, and reviewing subsidiary connections are recommended to detect and protect against BlackTech’s activities. The concerns raised by US security officials about China’s cyberattack capabilities highlight the need for increased vigilance in the face of evolving threats.