The Cybersecurity and Infrastructure Security Agency (CISA), together with the NSA, FBI, and more than a dozen international partners, has issued a joint advisory on Chinese state-sponsored cyber activity.
The alert, AA25-239A, details the long-running operations of Advanced Persistent Threat (APT) actors tracked as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor.
These actors have been compromising networks worldwide since at least 2021. They target telecoms, government, transportation, lodging, and military infrastructure. Their campaigns rely on exploiting network edge devices (routers and gateways) to gain persistent access, pivot into trusted networks, and monitor global communications.
Unlike opportunistic ransomware attacks, these intrusions are calculated and long-term. They are espionage campaigns, designed to track movements, intercept data, and map trusted interconnections across industries and borders.
Abusing Network Edge Devices
According to an analysis by Picus Security, “Their campaigns center on abusing network edge devices, particularly backbone and customer routers, to gain persistent access, pivot into trusted networks, and collect sensitive communications. Unlike opportunistic ransomware operations, these intrusions are long-term espionage campaigns, enabling Chinese intelligence services to track global communications and movements.”
CISA names a few companies: Sichuan Juxinhe and Beijing Huanyu Tianqiong. Sichuan Zhixin Ruijie. They supply the tools and the infrastructure directly to the PLA and China’s Ministry of State Security.
“Investigations associated with these APT actors indicate that they are having considerable success exploiting publicly known common vulnerabilities and exposures (CVEs) and other avoidable weaknesses within compromised infrastructure,” CISA’s advisory says.
“Exploitation of zero-day vulnerabilities has not been observed to date. The APT actors will likely continue to adapt their tactics as new vulnerabilities are discovered and as targets implement mitigations, and will likely expand their use of existing vulnerabilities.”
Exploiting the Known
Investigators say the actors favor known vulnerabilities over zero-day exploits. Devices from Cisco, Palo Alto, and Ivanti, among others, have been repeatedly compromised. Common attack vectors include command injection, authentication bypass, and remote code execution on internet-facing devices.
Once inside, the actors establish resilient footholds. They modify access control lists, enable SSH backdoors, manipulate TACACS+ and SNMP configurations, and set up persistent GRE/IPsec tunnels. Even older vulnerabilities, like Cisco’s Smart Install flaw (CVE-2018-0171), remain in play.
Persistence is paired with stealth. On Cisco IOS XE and NX-OS devices, Guest Shell containers allow the attackers to stage scripts, capture network traffic, and hide artifacts. They can even disable or destroy these environments to erase evidence.
Lateral Movement and Data Collection
Once inside, they spread. Laterally. Snatching credentials, capturing authentication traffic, mirroring network flows. Pulling routing tables, mapping the environment. Every protocol, every feature abused. Administrators tracked. Access maintained. Quietly.
The goal is simple: steal the data. Get it out without being seen. The attackers watch communications. They map the paths. They set the stage for what comes next.
Defending Against the Threats
CISA’s advisory is simple: patch the known holes. Watch your edge devices. Layer your defenses. Tools exist to test your resilience. Picus, for example, lets you simulate attacks from Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, and see if your defenses hold.
It’s clear that Chinese state-backed actors combine commercial technology and military objectives. They exploit predictable infrastructure gaps. And they do so with patience, precision, and persistence.
For organizations handling sensitive communications, the message is urgent: patch, monitor, and assume that sophisticated adversaries are already looking for the next foothold.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.