Chinese APTs running persistent campaign target critical infrastructure, telecom networks
Global cybersecurity agencies published a joint cybersecurity advisory detailing ongoing malicious activity by People’s Republic of China (PRC) state-sponsored Advanced Persistent Threat (APT) actors. The advisory warns of a deliberate and sustained campaign by these actors to gain long-term access to global critical infrastructure networks. The agencies strongly urge network defenders to hunt for malicious activity and apply the mitigations in the advisory to reduce the threat of Chinese state-sponsored and other malicious cyber activity.
The advisory disclosed that APT actors have been conducting malicious operations worldwide since at least 2021. These activities have been linked to several China-based entities, including Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology. Each of these companies provides cyber-related products and services to China’s intelligence apparatus, supporting multiple units within both the People’s Liberation Army and the Ministry of State Security.
The stolen data enables Chinese intelligence agencies to monitor and track communications and movements worldwide. According to the advisory, state-sponsored actors are exploiting vulnerabilities in routers used by telecommunications providers and other infrastructure operators, taking deliberate steps to evade detection and maintain persistent access across telecommunications, transportation, lodging, and military networks.
The document builds on previous reporting and incorporates updated threat intelligence from investigations conducted through July 2025. It also reflects overlapping indicators with industry reporting on Chinese state-sponsored threat groups such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others.
The advisory has been released by a coalition of international agencies. From the U.S., the contributing organizations include the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3). Australia is represented by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC). Canada is represented by both the Canadian Centre for Cyber Security (Cyber Centre) and the Canadian Security Intelligence Service (CSIS). New Zealand’s contribution comes from the National Cyber Security Centre (NCSC-NZ). The U.K. is represented by its National Cyber Security Centre (NCSC-UK).
Several European agencies are also involved, including the Czech Republic’s National Cyber and Information Security Agency (NÚKIB), Finland’s Security and Intelligence Service (SUPO), Germany’s Federal Intelligence Service (BND), the Federal Office for the Protection of the Constitution (BfV), and the Federal Office for Information Security (BSI). Italy is represented by both the External Intelligence and Security Agency (AISE) and the Internal Intelligence and Security Agency (AISI).
Japan has two contributing organizations: the National Cyber Office (NCO) and the National Police Agency (NPA). The Netherlands is represented by the Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD). Poland’s contributions come from the Military Counterintelligence Service (SKW) and the Foreign Intelligence Agency (AW). Spain is represented by the National Intelligence Centre (CNI).
“CISA and our partners are committed to equipping critical infrastructure owners and operators with the intelligence and tools they need to defend against sophisticated cyber threats,” said Madhu Gottumukkala, acting director of CISA. “By exposing the tactics used by PRC state-sponsored actors and providing actionable guidance, we are helping organizations strengthen their defenses and protect the systems that underpin our national and economic security.”
“The FBI and our partners are committed to sharing threat intelligence and resources to counter PRC-sponsored cyber intrusions,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division. “Our victim-centered approach keeps us focused on delivering intelligence and tools to those who need them most. PRC threat actors thrive in the shadows. Together with our government and private sector partners, we defend the homeland by shining a light on their activity and undermining the tactics and infrastructure they rely on.”
“We are deeply concerned by the irresponsible behaviour of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale,” according to Richard Horne, NCSC chief executive. “It is crucial organisations in targeted critical sectors heed this international warning about the threat posed by cyber actors who have been exploiting publicly known – and so therefore fixable – vulnerabilities.”
Horne added that in the face of sophisticated threats, “network defenders must proactively hunt for malicious activity, as well as apply recommended mitigations based on indicators of compromise and regularly reviewing network device logs for signs of unusual activity.”
Investigations show these APT actors are successfully exploiting widely known vulnerabilities and other preventable weaknesses in compromised infrastructure. So far, exploitation of zero-day flaws has not been observed. However, the actors are expected to adapt their tactics as new vulnerabilities emerge and as defenders apply mitigations, while expanding their use of existing flaws. The agencies warn that potential targets extend beyond those already identified and may include devices such as Fortinet and Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless equipment, and SonicWall firewalls.
APT actors are leveraging infrastructure such as virtual private servers and compromised intermediate routers that are not tied to known botnets or obfuscation networks to target telecommunications and internet service providers. They often exploit edge devices regardless of ownership, using equipment from entities outside their primary targets as stepping stones to reach high-value networks.
To maintain persistent access, APT actors employ techniques designed to disguise their activity and bypass defenses. Many of these methods obscure the source IP address in system logs, making their activity appear as though it originated from local addresses. Tactics include modifying Access Control Lists to add threat actor-controlled IPs, often naming the lists ‘access-list 20’ or, if already in use, ‘10’ or ‘50.’ They also open both standard and non-standard ports, enabling services such as SSH, SFTP, RDP, FTP, HTTP, and HTTPS. This creates multiple pathways for remote access and data exfiltration.
After compromising a router, APT actors have been observed executing commands via SNMP, initiating SSH sessions from remote or local IPs, and sending POST requests through web interface panels. They also exploit service or automation credentials, such as those used by configuration-archival systems like RANCID, to enumerate and access additional devices. Where SNMP is configured, they enumerate and alter settings across devices in the same community group, expanding their foothold within the network.
Following initial access, APT actors target authentication protocols and supporting infrastructure, such as TACACS+ and RADIUS, to enable lateral movement across network devices, often through SNMP enumeration and SSH. From these footholds, they passively capture packet data from specific ISP customer networks. To deepen discovery and movement within compromised environments, they also probe Managed Information Base (MIB) data, router interfaces, Resource Reservation Protocol (RSVP) sessions, Border Gateway Protocol (BGP) routes, and installed software.
APT actors collect configuration files by exploiting existing network sources, such as provider scripts, or by actively surveying devices and using Trivial File Transfer Protocol (TFTP). This often includes gathering Multiprotocol Label Switching (MPLS) configuration data. They also capture in-transit network traffic by leveraging native router capabilities such as SPAN, RSPAN, or ERSPAN, and exfiltrate provider-held data, including subscriber information, user content, customer records and metadata, network diagrams, inventories, device configurations, vendor lists, and even passwords.
Compromised routers are frequently used to capture network traffic containing credentials, enabling further lateral movement. Actors leverage native packet capture functions, such as Cisco’s Embedded Packet Capture, to collect RADIUS or TACACS+ authentication traffic, which often exposes credentials transmitted in cleartext or with weak protection.
Packet captures have been found using various filenames. In some cases, the actors modify router TACACS+ server configurations to redirect authentication attempts to actor-controlled IP addresses. They may also alter Authentication, Authorization, and Accounting (AAA) settings, forcing devices to rely on weaker authentication methods or to send accounting data directly to their infrastructure.
A key concern with exfiltration is the APT actors’ abuse of peering connections with direct interconnections between networks that exchange traffic without intermediaries. Weak policy controls or poor system configurations can allow peered ISPs to receive data they should not, creating opportunities for covert exfiltration.
Analysis shows that these actors often rely on separate, and sometimes multiple, command-and-control channels to disguise data theft within the heavy traffic of proxies or Network Address Translation (NAT) pools. They frequently use tunneling protocols, such as IPsec and GRE, to conduct both command-and-control and exfiltration operations.
The advisory urges network defenders in critical infrastructure, particularly telecommunications, to conduct proactive threat hunting and, when necessary, incident response. If malicious activity is suspected or confirmed, organizations should comply with mandatory reporting requirements to regulators and relevant authorities, and consider voluntary reporting to cybersecurity or law enforcement agencies that can provide guidance and mitigation support.
The activity described in this advisory typically involves persistent, long-term access, with APT actors maintaining multiple avenues of entry. Defenders should carefully plan the sequencing of response actions to maximize the likelihood of complete eviction while ensuring compliance with laws, regulations, and data breach notification requirements. A full understanding of the adversary’s foothold, followed by coordinated and simultaneous removal measures, is often necessary for lasting eviction. Partial or piecemeal actions risk alerting the actors, enabling them to adapt and maintain access.
Incident response on one network may also prompt the actors to harden their position in other compromised environments, complicating broader investigations. APT actors frequently attempt to safeguard their access by compromising mail servers or administrator accounts to monitor whether they have been detected. Organizations should therefore protect the confidentiality of their threat-hunting and response activities to prevent adversary surveillance and countermeasures.
The advisory calls upon organizations to start by pulling configurations from all networking equipment and comparing them with the latest authorized versions. Remote access settings, ACLs, and local accounts must be checked for unauthorized changes. Where SNMP is in use, devices should run SNMPv3 with proper authentication and privacy settings. Routing tables should be verified for accuracy, and any PCAP commands on devices confirmed as authorized.
For equipment that supports virtualized containers, only expected containers should be running. On Cisco platforms with Guest Shell, monitoring should go beyond syslog to include AAA accounting, container logs, and telemetry. Administrators should watch for unusual use of Guest Shell commands or attempts to run commands under different VRFs.
Network services and tunnels require close monitoring. This includes spotting management services on non-standard ports, unusual SSH or HTTPS traffic patterns, and suspicious TCP/57722 activity on IOS XR devices. TACACS+ flows to unauthorized destinations, FTP or TFTP transfers to unapproved servers, and unexplained tunnels across security boundaries should be investigated. Abnormal use of FTP servers as staging areas or extensive SSH activity leading to tunnel creation are also red flags.
Firmware and software integrity checks are critical. Organizations should verify firmware hashes against vendor databases, compare images on disk and in memory with known-good values, and use run-time validation tools. Where available, features like signed image enforcement and configuration checkpoints should be enabled. Non-standard files in system directories should always be treated with suspicion.
Log monitoring helps catch malicious activity early. Warning signs include cleared or disabled logs, unauthorized packet captures, creation of SPAN or ERSPAN sessions, and configuration changes from unexpected locations. Suspicious PCAP or session files, new sudo-enabled accounts, unexpected host OS services, or privilege escalations should trigger alerts.
FTP logs and router-to-router logins should also be closely scrutinized. If unauthorized activity is uncovered, organizations should carefully sequence containment to avoid alerting active intruders. Live artifacts such as process lists, sockets, and files should be captured before eradication efforts begin.
link
