BlackTech

Threat Actor Profile Updated 12 days ago
Download STIX
Preview STIX
BlackTech, a China-linked Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat by the US Cybersecurity and Infrastructure Security Agency (CISA). Known for its customized malware development and tailored persistence mechanisms, BlackTech primarily targets organizations within the telecommunications, technology, media, electronics, and industrial sectors. The group is associated with a malware family known as Waterbear, used in cyberespionage campaigns to gather intelligence from technology and government organizations, especially in the Asia-Pacific region. Approximately six months prior to the 2022 FIFA World Cup soccer tournament in Qatar, BlackTech successfully breached the network of a major communications provider for the games, inserting malware into a critical system that stored network device configurations. The group exploited its access to the Configuration Management Database (CMDB) to alter configurations on Asus routers associated with various organizations, rendering these systems accessible over the Internet. This attack demonstrated BlackTech's ability to disable logging and abuse trusted domain relationships, enabling them to pivot between international subsidiaries and domestic headquarters' networks. The implications of BlackTech's capabilities are concerning. The access they gained to the telecom provider's system could have enabled them to disrupt key communications completely, including all streaming services related to the game. This potential for widespread disruption underscores the severity of the threat posed by BlackTech and similar threat actors. As such, comprehensive defensive measures and robust cybersecurity strategies are essential to mitigate the risks posed by these sophisticated adversaries.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Radio Panda
4
Radio Panda, also known as BlackTech, Palmerworm, Temp.Overboard, and Circuit Panda, is a state-sponsored Chinese Advanced Persistent Threat (APT) group that has been conducting cyber espionage attacks since at least 2010. This threat actor has targeted various sectors, including government, industr
Palmerworm
3
Palmerworm, also known as BlackTech, Temp.Overboard, Circuit Panda, and Radio Panda, is a threat actor group that has been active since at least 2013. This group has demonstrated extensive capabilities in targeting various sectors such as government, industrial, technology, media, electronics, and t
Mustang Panda
2
Mustang Panda, also known as Earth Preta, Camaro Dragon, Bronze President, TA416, and Stately Taurus, is a China-aligned Advanced Persistent Threat (APT) group that has been active since at least 2012. The group has targeted various entities across the globe, including government organizations, thin
temp.overboard
2
Temp.Overboard, also known as BlackTech, Circuit Panda, Palmerworm, and several other aliases, is a threat actor that has been active in the cybersecurity landscape since at least 2007. This group is known for its operations against targets in East Asia, specifically Taiwan, Japan, and Hong Kong. As
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Exploit
Apt
Espionage
Cisco
Chinese
Proxy
Ios
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PLEADUnspecified
3
The PLEAD malware, also known as TSCookie, was first observed in the wild in 2015 and is believed to be associated with the Chinese APT group BlackTech. It was discovered by ESET researchers in 2019 that BlackTech was conducting Man-in-the-Middle (MitM) attacks through compromised ASUS routers and d
TSCookieUnspecified
2
TSCookie is a malware that has been associated with various backdoors such as BendyBear, BIFROSE (Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (DBGPRINT). It's also known as FakeDead and is used in conjunction with other tools like BendyBear and Flagpro by BlackTech, an advanced persistent
FlagproUnspecified
2
Flagpro is a malicious software (malware) used by threat actors to exploit and damage computer systems. The malware was first observed in attacks against Japan in October 2020, with new versions using the Microsoft Foundation Class (MFC) library identified by Security Operations Centers (SOCs) in Ju
TaidoorUnspecified
2
Taidoor is a malicious software (malware) traditionally used as a Remote Access Trojan (RAT), associated with other malware like PITTYTIGER and ENFAL. Its primary attack vector involves phishing emails themed around military, renewable energy, or business strategy. The malware infects systems throug
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Volt TyphoonUnspecified
2
Volt Typhoon, a threat actor associated with the Chinese government, has emerged as a significant cybersecurity concern. Known for their strong operational security and use of obfuscation techniques to hide their malware, this group has successfully compromised organizations across various sectors s
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the BlackTech Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CISA
8 months ago
People's Republic of China-Linked Cyber Actors Hide in Router Firmware | CISA
MITRE
a year ago
Malware “TSCookie” - JPCERT/CC Eyes
MITRE
a year ago
The Trail of BlackTech’s Cyber Espionage Campaigns
MITRE
a year ago
BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech
MITRE
a year ago
Flagpro: The new malware used by BlackTech (via Passle)
Securityaffairs
8 months ago
China-linked APT BlackTech was spotted hiding in Cisco router firmware
CERT-EU
8 months ago
China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
CERT-EU
8 months ago
US and Japan warn of Chinese hackers backdooring Cisco routers
MITRE
a year ago
Malware Used by BlackTech after Network Intrusion - JPCERT/CC Eyes
CERT-EU
8 months ago
Hacking Cisco Routers firmware and replacing it with a malicious firmware using this flaw
DARKReading
8 months ago
China APT Cracks Cisco Firmware in Attacks Against the US and Japan
CERT-EU
8 months ago
BlackTech gang hacks Cisco firmware in attacks on multinational corporations
CERT-EU
8 months ago
US: China’s BlackTech Group Hacks Cisco Firmware in Cyberattacks
CERT-EU
8 months ago
Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
MITRE
a year ago
Waterbear Returns, Uses API Hooking to Evade Security
DARKReading
a month ago
How Soccer's 2022 World Cup in Qatar Was Nearly Hacked
BankInfoSecurity
8 months ago
Chinese Hackers Target Routers in IP Theft Campaign
CERT-EU
8 months ago
Government-sponsored Chinese hackers are "hiding" inside Cisco routers
CERT-EU
8 months ago
Chinese 'BlackTech' hackers backdoor Cisco routers to breach orgs in the US, Japan
InfoSecurity-magazine
8 months ago
US and Japan Warn of Chinese Router Attacks