Full Report
Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates. [...]
Analysis Summary
# Threat Actor: Identified as Chinese Cyberspies (Associated with UNC3886)
## Attribution & Identity
The threat actor is described as "Chinese cyberspies" and is associated with the threat group designation **UNC3886**.
## Activity Summary
This group was engaged in a campaign to gain stealthy, long-term access to corporate networks by backdooring **Juniper routers**. The primary objective seems to be establishing low-detection persistence. The activity involved implanting multiple custom backdoors targeting end-of-life (EoL) Juniper MX routers.
## Tactics, Techniques & Procedures
- **Backdoor installation:** Implanting custom backdoors specifically into Juniper routers.
- **Stealthy C2 Communication:** Utilizing TCP with **AES encryption** for encrypted command and control communication.
- **Persistence/Evasion (lmpad):** Using a utility named **lmpad** which mimics the legitimate 'lmpd' process to turn off SNMP and management daemon logging and security monitoring prior to operations, and potentially restore logs afterward to erase forensic traces.
- **Distinct C2 Methods:** Each of the six backdoors reportedly used has a distinct C2 communication methodology and uses a separate set of hardcoded C2 server addresses.
- **Previous Targeting:** Juniper routers were also previously targeted by this group (or related actors) using **J-Magic malware** to open reverse shells via specially crafted packets.
## Targeting
- Sectors: Corporate networks (general targeting implied by the focus on network infrastructure).
- Geography: Not explicitly mentioned in the provided excerpt.
- Victims: Organizations using **end-of-life (EoL) Juniper MX routers**.
## Tools & Infrastructure
- **Malware families used:** Six distinct custom backdoors.
- **Specific Backdoor/Utility:**
- **lmpad:** A utility/passive backdoor mimicking 'lmpd'.
- **Infrastructure:** Each backdoor uses a separate set of **hardcoded C2 server addresses**. Communication utilizes **TCP with AES encryption**.
## Implications
This campaign signifies a highly targeted operation focused on compromising critical network infrastructure (routers) to ensure deep, long-term, and difficult-to-detect access into victim environments. The use of custom malware designed to interfere with logging mechanisms indicates a high level of operational security and anti-forensics focus.
## Mitigations
- **Hardware Replacement:** Prioritize replacing end-of-life (EoL) Juniper MX routers with newer, actively supported models.
- **Patching/Upgrading:** Upgrade existing devices to the latest firmware.
- **Authentication Security:** Implement **centralized Identity & Access Management (IAM)** and enforce **Multi-Factor Authentication (MFA)** for all network devices.
- **Detection:** Utilize updated signatures for the **Juniper Malware Removal Tool (JMRT)**.
- **Indicators:** Deploy provided YARA and Snort/Suricata rules (external reference).