BlackTech
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | China |
| Directly Linked Intrusion Sets | Earth Hundun |
BlackTech is a cyber espionage group reported as being active since at least 2010 and linked to the People's Republic of China. The group is known by various aliases including Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, they have targeted a wide range of sectors in the U.S. and East Asia.
BlackTech employs custom malware payloads and remote access tools (RATs) to compromise victims' systems, particularly network devices. They have developed tailored persistence mechanisms for compromising routers, allowing them to disable logging and abuse trusted domain relationships for lateral movement.
According to reporting, their primary targets include government, industrial, technology, media, electronics, and telecommunication sectors, as well as entities supporting the militaries of the U.S. and Japan.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
BlackTech Threat Reports
People's Republic of China-Linked Cyber Actors Hide in Router Firmware
This Cybersecurity Advisory from CISA and partners details activities of the People's Republic of China (PRC)-linked cyber actors known as ...
References
attack.mitre.org
https://attack.mitre.org/groups/G0098/www.nsa.gov
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3539209/us-and-japanese-agencies-issue-advisory-about-china-linked-actors-hiding-in-rou/www.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270awww.trendmicro.com
https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.htmljsac.jpcert.or.jp
https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdfMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1601.001 | Patch System Image | Defense Evasion |
| T1199 | Trusted Relationship | Initial Access |
| T1021.004 | SSH | Lateral Movement |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1588.003 | Code Signing Certificates | Resource Development |
| T1090 | Proxy | Command and Control |
| T1562 | Impair Defenses | Defense Evasion |
| T1562.003 | Impair Command History Logging | Defense Evasion |
| T1112 | Modify Registry | Defense Evasion |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |