A coalition of cybersecurity and intelligence agencies from across the globe, including the United States National Security Agency (NSA), has issued a joint advisory revealing ongoing cyber intrusions by State-Sponsored Actors linked to the Chinese government. These actors are allegedly targeting critical infrastructure networks around the world in a broad and persistent campaign of cyber espionage.
The advisory, titled “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” outlines a series of techniques employed by advanced persistent threat (APT) actors to infiltrate and maintain access to telecommunications, military, transportation, lodging, and governmental systems.
The malicious operations described in the advisory share notable overlap with threat actors tracked in the cybersecurity industry, including groups known as Salt Typhoon and GhostEmperor. These operations have been traced back to several China-based companies, including Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.
These firms reportedly provide technological services to the Chinese Ministry of State Security and the People’s Liberation Army.
United States National Security Agency (NSA) Decodes Tactics and Techniques
According to the National Security Agency and its partners, these State-Sponsored Actors are exploiting known vulnerabilities in networking devices produced by companies such as Ivanti, Cisco, and Palo Alto. The attackers target edge and core network infrastructure, leveraging compromised routers and trusted network connections to move laterally within systems.
Key techniques observed include:
- Modifying Access Control Lists (ACLs) to allow connections from attacker-controlled IP addresses.
- Activating SSH and web services on unusual ports to maintain encrypted remote access.
- Utilizing SNMP and automation credentials to execute commands and modify network configurations.
- Deploying Linux containers (e.g., Cisco Guest Shell) to run unauthorized tools undetected.
- Using tools such as STOWAWAY for multi-hop access, file transfers, and command execution.
Persistence is achieved through changes to device configurations, including creating new administrative accounts and enabling covert tunneling protocols like GRE and IPsec.
Global Collaboration on Cybersecurity
The advisory is the product of a coordinated effort among over 20 agencies spanning the U.S., Europe, and Asia-Pacific. In addition to the NSA, contributors include the Cybersecurity and Infrastructure Security Agency (CISA), FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security, New Zealand’s NCSC, the UK’s NCSC, and counterparts in Germany, Italy, Japan, Poland, the Netherlands, Finland, and more.
Surveillance and Data Collection
Once inside a network, the Chinese government-linked APT actors reportedly focus on capturing credentials, monitoring traffic, and collecting sensitive data. Techniques include:
- Capturing TACACS+ traffic using native packet capture tools.
- Exploiting weak encryption schemes (e.g., Cisco Type 7) to decrypt stored credentials.
- Using SNMPwalk and Tcl scripts to map and manipulate devices on local networks.
- Extracting customer data, configuration files, and routing information.
- Setting up SPAN, RSPAN, or ERSPAN sessions to mirror traffic and intercept sensitive communications.
A notable case detailed in the advisory describes how attackers collected TACACS+ traffic using a native PCAP tool, decrypted it using weakly encoded keys, and moved laterally across the network using stolen administrator credentials.
Concealment and Evasion
To remain undetected, the actors take several steps to obscure their presence:
- Clearing system logs and disabling logging features.
- Reverting device configurations post-exfiltration.
- Using encrypted tunnels for command-and-control activity.
- Exploiting misconfigurations between internet service providers to maintain stealthy cross-network access.
Devices running Cisco IOS XR have been particularly targeted, with attackers enabling SSH daemons on high-numbered ports (e.g., 57722), establishing host OS shell access, and using non-root accounts with escalated privileges for long-term control.
Defensive Recommendations
The NSA and co-authoring agencies urge critical infrastructure operators and IT security teams to adopt a comprehensive approach to threat hunting and incident response.
Key recommendations include:
- Comparing live device configurations with approved baselines.
- Monitoring for unauthorized PCAP sessions or unusual remote access patterns.
- Auditing firmware integrity and enabling signed image verification.
- Watch for unauthorized user accounts or SSH access on unexpected ports.
- Disabling unnecessary services such as sshd_opens.
- Reviewing system logs for indicators like suspicious PCAP file names (e.g., mycap.pcap, tac.pcap).
Organizations are advised to fully understand the attacker’s access points before initiating remediation efforts, to avoid tipping off the intruders and ensure complete removal.
