China-sponsored cybercriminals are hacking network providers and devices to spy on users

Chinese state-backed hackers are reportedly using unpatched consumer routers and network-attached storage (NAS) devices to gain access to the infrastructure of major telecommunications companies. The traffic on those systems is then captured and sent to Chinese servers. The US agencies issuing the alert didn’t name any victims.

According to a new alert, Chinese state-sponsored hackers are exploiting known security vulnerabilities in unpatched network devices to establish a broad network of compromised infrastructure.

The joint advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI.

Some of the affected devices include consumer routers made by Cisco, D-Link, and Netgear and NAS devices made by QNAP. These serve as access points to route command and control (C2) traffic and act as midpoints to compromise other entities, such as telecommunications companies and network service providers.

After infiltrating these telco networks, the cybercriminals execute router commands to route, capture, and exfiltrate traffic to their own servers. At the same time, they monitor network defenders’ accounts and actions and modify their ongoing attacks to remain undetected.

The cyber actors reportedly use open-source tools, like RouterScan and RouterSploit, to scan for vulnerabilities. They conduct their intrusions through compromised servers called hop points, which typically have China-based IP addresses resolving to different Chinese ISPs.

The agencies claim that hackers lease remote access to the servers directly or indirectly from hosting providers and then use them to register and access operational email accounts, host C2 domains, and interact with victim networks. The hop points are also used as an obfuscation technique.

In related news, the FBI issued an alert last month warning US universities that their VPN credentials are being sold on Russian cybercriminal forums.