Ddos 
In a multinational alert, the U.S. National Security Agency (NSA), CISA, FBI, and partners from more than a dozen allied nations have released a Joint Cybersecurity Advisory (CSA) exposing how Chinese state-sponsored Advanced Persistent Threat (APT) groups are compromising telecommunications, government, and other critical networks worldwide to feed a global espionage system.
The advisory warns that “People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks.” Attackers are not only penetrating backbone routers of major telecom providers, but also pivoting through customer edge (CE) and provider edge (PE) routers to maintain long-term persistence .
The activity overlaps with threat clusters known in the security industry as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. While researchers use different names, the advisory stresses that all are part of coordinated Chinese state-linked cyber operations .
Investigators found that the attackers rely heavily on publicly known CVEs rather than zero-days, but with ruthless efficiency. The CSA lists several high-profile exploits:
- CVE-2024-21887 – Ivanti Connect Secure / Policy Secure command injection.
- CVE-2024-3400 – Palo Alto Networks PAN-OS GlobalProtect RCE.
- CVE-2023-20198 + CVE-2023-20273 – Cisco IOS XE authentication bypass chained with privilege escalation.
- CVE-2018-0171 – Cisco IOS Smart Install RCE .
As the report explains, “The APT actors have been performing malicious operations globally since at least 2021… The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world.”
Persistence techniques include modifying ACLs, enabling SSH on non-standard ports, abusing Cisco Guest Shell containers, and creating covert tunnels using GRE and IPsec. Exfiltration is often conducted by hijacking peering connections between ISPs, allowing Chinese operators to siphon data under the cover of legitimate network traffic .
The advisory shares IP-based indicators of compromise, along with signatures for custom SFTP tools (cmd1, cmd3, new2, sft) written in Go and used for encrypted data exfiltration. In one case study, attackers captured TACACS+ packets from Cisco routers to steal administrator credentials, even recovering weakly protected secrets from Cisco Type 7 hashes .
The CSA urges defenders to immediately patch exposed edge devices, especially those vulnerable to the listed CVEs. Agencies recommend:
- Hardening management services by restricting SSH, HTTPS, SNMP, and TACACS+ to dedicated out-of-band management networks.
- Monitoring unusual tunnels such as unexplained GRE/IPsec links between providers.
- Disabling Cisco Guest Shell unless operationally required.
- Implementing strong credential practices (public-key authentication, SNMPv3 with authPriv, disabling defaults).
- Auditing configs and logs for rogue ACLs, unexpected containers, or packet capture commands.
As the advisory emphasizes, “The authoring agencies strongly urge network defenders to hunt for malicious activity and to apply the mitigations in this CSA to reduce the threat of Chinese state-sponsored and other malicious cyber activity.”
Related Posts:
- NSA can continue its surveillance will depend on Trump?
- CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
- Chinese Hackers Suspected in Ivanti CSA Attacks: Webshells and Lateral Movement Detected Sources and related content
- Critical Flaws Found in Partner Software: Default Admin Passwords & XSS Allow RCE on Government Systems
- AMD push security update to patch 13 security vulnerabilities
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
