As China-backed threat groups have been linked to recent attacks on telecom networks, the U.S. Treasury and other high-value targets, one issue has become increasingly clear: Good cyber hygiene could have limited damage from many of the attacks.
Organizations have little in the way of defenses against advanced persistent threats (APTs) exploiting unknown zero-day vulnerabilities – at least until there’s an available patch – but they can make it harder for those threat actors to move laterally once inside their network.
No incident drives that point home more than one cited by Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, in a December 27 press briefing.
Admin Account Had Access to 100,000 Routers
Many of the media questions focused on China’s infiltration of U.S. telecom networks. Neuberger noted that a ninth telecom service provider has now been identified as a victim. When asked for details, she noted one startling fact about one of the breaches:
“in one telecoms case, there was one administrator account that had access to over 100,000 routers,” Neuberger said. “So, when the Chinese compromised that account, they gained that kind of broad access across the network. That’s not meaningful cybersecurity to defend against a nation-state actor.”
Lack of access controls gave the threat actors “broad and full access” to networks. “[W]e believe that’s why they had the capability to geolocate millions of individuals, to record phone calls at will, because they had that broad access.”
Neuberger expressed support for an FCC effort to mandate stronger telecom network security, and said she hopes it includes network segmentation. “Even if an attacker like the Chinese government gets access to a network, they’re controlled and they’re contained,” she said.
An FCC vote on the new telecom security rules could come on January 15.
Other important cybersecurity practices cited by Neuberger – and included in hardening guidance from the NSA and CISA – included:
- Improved configuration management
- Securing the management plane
- Better vulnerability management of networks
- Improved information sharing on incidents and techniques
“The Chinese, you know, were very careful about their techniques,” Neuberger said. “They erased logs. In many cases, companies were not keeping adequate logs. So, there are details likely … that we will never know regarding the scope and scale of this.”
Treasury Hack, Ivanti Zero-Day Exploits Attributed to China
Other recent attacks attributed to China include the U.S Treasury Department breach and an Ivanti zero-day exploit.
The Ivanti Connect Secure, Policy Secure and ZTA Gateways vulnerabilities – CVE-2025-0282 and CVE-2025-0283 – were added to CISA’s Known Exploited Vulnerabilities catalog on January 8, and CISA also published mitigation guidance for the vulnerabilities the same day.
In response to the growing cyber threat from China, the Biden Administration is reportedly rushing out an executive order to harden federal networks against attacks.
Cyber Hygiene Recommendations from Cyble
Cyber hygiene also figures prominently in Cyble’s annual threat landscape report and an accompanying podcast, which will be released next week and will be available as a free Cyble research report.
In the podcast, Kaustubh Medhe, Cyble’s Vice President of Research and Cyber Threat Intelligence, noted that perimeter security products such as VPNs, firewalls, WAFs, and load balancers from Fortinet, Cisco, Ivanti, Palo Alto, Citrix, Ivanti, Barracuda and others are “being exploited for ransomware and data theft.
“What’s concerning is that the patching window for enterprises continues to shrink as ransomware gangs and APT groups are quick to weaponize and exploit zero-day vulnerabilities on a mass scale months before these vulnerabilities becoming public,” Medhe said.
He listed a number of cybersecurity lapses that commonly lead to breaches and cyberattacks:
- Local copies of sensitive data stored on end user systems and laptops
- Insecure file servers, network shares or cloud storage, with weak or non-existent access policies, exposed on the internet
- Lack of secure hardening configurations on endpoints, servers and IT infrastructure
- Lack of network segmentation, allowing lateral movement
- Inadequate protection of API keys, access tokens and passwords in public code repositories
- Weak or ineffective endpoint protection and anti-malware solutions, and failure to detect and prevent infostealer infections that lead to credential compromise and theft
- Weak endpoint and network-level monitoring controls to detect and prevent high-volume data exfiltration
- Security misconfigurations on internet-facing applications and servers and cloud infrastructure
- Weak API security settings, inadequate authentication, lack of proper input validation, absence of rate limiting, lack of API monitoring, and weak detection controls
- Poor security hygiene at third parties with access to sensitive data
Conclusion
Recent cyberattacks linked to Chinese APT groups strongly suggest that while not every cyberattack can be prevented – particularly those involving exploitation of unknown zero days – basic security practices like proper access control and permissions, network segmentation, and proper application, device and cloud configuration could go a long way toward limiting damage from attacks that do occur.
The good news is that proper cyber hygiene often doesn’t cost anything more than the time to get it right.
