Researchers from Israeli security company Check Point revealed this week that malicious firmware may endanger a variety of home and small office network routers. This would connect the routers to a network of hackers allegedly tied to the Chinese government.
According to information disclosed by Check Point, a firmware update for these routers includes a backdoor, which allows hackers to establish control and a file transfer network on the attacked router. It would then send remote commands to it, including uploading, downloading and deleting files.
Although the attack was centered on TP-LINK routers, it is "indifferent to the model," which means that it can be applied to other routers. The main purpose of the malicious one, it seems, is to transfer information between the target of the attack and the control servers of the attacker, in a way that masks the attacker to the intended victim.
Through further research, Check Point personnel discovered that the control structure and servers were linked to "Mustang Panda", an Advanced Persistent Threat (APT), previously also identified by companies such as Avast and ESET, as a group operating on behalf of the Chinese government.
Investigation reveals invasive coding
Check Point researchers discovered the invasive code during an investigation into a series of targeted attacks against European figures involved in foreign policy affairs. The main component of the backdoor is a code dubbed Horse Shell, a malicious code that is able to run remote commands on the infected device, transfer rhythms to and from it, and transfer information to a specific IP address using the SOCKS5 protocol, which was the main purpose of planting the code.
By creating a network of impacted routers that establish an encrypted connection between them, where only the two nearest links are exposed to each other, it is difficult to trace the source of the attack.
Tom Malka, head of cyber research at the Rakia Group, told Walla! that this is a known tactic.
"This is the exploitation of routers with vulnerable versions in order to carry out attacks under the cloak of anonymity for the real attacker - especially when it comes to attackers who are state-sponsored, and do not want to have a link to the state itself in order to avoid sanctions or a media echo," explains Malka.