Chinese Cyberespionage Group Targets Defense and Technology Organizations’ Routers

Images by Pixabay

This post is also available in: עברית (Hebrew)

A Chinese-based cyberespionage group, identified as UNC3886, has been targeting Juniper Networks’ widely used Junos OS routers, leveraging custom backdoors designed for outdated hardware. Discovered by Google Mandiant researchers in mid-2024, the group’s operations have primarily focused on telecoms, defense, and technology organizations, particularly in the US and Asia.

UNC3886, known for its advanced attack methods, has a history of exploiting network devices and virtualization technologies, often using zero-day vulnerabilities. In this case, the hackers specifically targeted end-of-life Juniper MX routers, which were running both outdated hardware and software. To infiltrate the devices, UNC3886 used at least six distinct backdoor variants based on TINYSHELL, a lightweight command-line interface tool.

The malware is sophisticated, enabling remote access and command execution. Notably, the backdoors deployed by the group include capabilities to tamper with logs, making it easier for attackers to maintain long-term access while evading detection. One of the most concerning aspects of these attacks is the group’s ability to bypass Veriexec, a critical security feature of the Junos OS that protects against tampering with the code. By exploiting legacy hardware and software vulnerabilities, UNC3886 gains root access and embeds its malicious code in memory, avoiding detection by security defenses.

Mandiant’s investigation revealed various backdoor types, each with unique features. For instance, two variants, named “appid” and “to,” use AES encryption for secure communication with command-and-control servers and enable the execution of a wide range of TINYSHELL commands. Another variant, “irad,” acts as a packet sniffer, only activating its backdoor when specific network traffic is detected.

Perhaps most concerning, the “Impad” variant is designed to disable system logging and suppress alerts, enabling the attackers to maintain a low profile while conducting their activities. This tactic enhances the group’s ability to persist within the targeted network over extended periods without raising suspicion.

Mandiant has worked closely with Juniper Networks to address these vulnerabilities and strongly recommends that organizations upgrade to the latest device firmware. The report also advises enhancing overall cybersecurity practices, including the use of advanced secure authentication tools.