Global Cyber Alert: Unmasking China's State-Sponsored Network Intrusions
In a sweeping international effort to counter escalating cyber threats, the Cybersecurity and Infrastructure Security Agency (CISA), along with the NSA, FBI, and a coalition of global intelligence and cybersecurity organizations, has released a powerful joint advisory exposing the tactics of Chinese state-sponsored Advanced Persistent Threat (APT) actors. These groups have been quietly infiltrating critical infrastructure networks throughout the globe, contributing to an expansive intelligence-gathering network that poses a significant threat to international security and digital autonomy.
A United Front.
This advisory is the result of unprecedented collaboration among cybersecurity and intelligence agencies from over 20 countries, including:
- United States National Security Agency (NSA)
- United States Cybersecurity and Infrastructure Security Agency (CISA)
- United States Federal Bureau of Investigation (FBI)
- United States Department of Defense Cyber Crime Center (DC3)
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- Canadian Centre for Cyber Security (Cyber Centre)
- Canadian Security Intelligence Service (CSIS)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- United Kingdom National Cyber Security Centre (NCSC-UK)
- Czech Republic National Cyber and Information Security Agency (NÚKIB)
- Finnish Security and Intelligence Service (SUPO)
- Germany Federal Intelligence Service (BND)
- Germany Federal Office for the Protection of the Constitution (BfV)
- Germany Federal Office for Information Security (BSI)
- Italian External Intelligence and Security Agency (AISE)
- Italian Internal Intelligence and Security Agency (AISI)
- Japan National Cyber Office (NCO)
- Japan National Police Agency (NPA)
- Netherlands Defence Intelligence and Security Service (MIVD)
- Netherlands General Intelligence and Security Service (AIVD)
- Polish Military Counterintelligence Service (SKW)
- Polish Foreign Intelligence Agency (AW)
- Spain National Intelligence Centre (CNI)
This unified response underscores the seriousness of the threat and the importance of international cooperation in defending against state-sponsored cyber aggression.
The Threat Landscape: Persistent, Sophisticated, and Global.
According to the advisory, Advanced Persistent Threat (APT) actors linked to the People’s Republic of China (PRC) have been systematically targeting critical infrastructure specifically provider edge (PE) and customer edge (CE) routers within telecommunications, government, transportation, lodging, and defense sectors. These devices, often overlooked and under-monitored, serve as gateways into broader enterprise environments.
Once inside, attackers modify router firmware and configurations to evade detection, establishing long-term access that allows them to siphon sensitive data and pivot into adjacent networks. This campaign is not limited to one region, it spans the United States, Australia, Canada, New Zealand, the United Kingdom, and beyond.
Who’s Behind the Curtain?
While cybersecurity firms have tracked these actors under names like Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, the advisory deliberately avoids typical naming conventions. Instead, it refers to them generically as Advanced Persistent Threat (APT) actors to emphasize behavior over branding.
Investigations have traced these operations back to several China-based companies, including:
- Sichuan Juxinhe Network Technology Co. Ltd.
- Beijing Huanyu Tianqiong Information Technology Co., Ltd.
- Sichuan Zhixin Ruijie Network Technology Co., Ltd.
These entities reportedly provide cyber tools and services to Chinese intelligence agencies, including the People’s Liberation Army and the Ministry of State Security since at least 2021.
What’s at Stake?
The stolen data ranging from communications metadata to travel patterns could provide Chinese intelligence services to track communications and movement of individuals and organizations globally. This level of access poses a serious risk to national security, economic stability, and personal privacy.
What You Can Do: Mitigation and Defense.
The advisory urges network defenders, especially those in high-risk sectors, to proactively hunt for signs of compromise and implement recommended mitigations. These include:
- Monitoring router configurations and firmware integrity
- Segmenting networks to limit lateral movement
- Applying patches and updates to vulnerable systems
- Enhancing visibility into edge devices
Mitigation strategies will evolve as new intelligence emerges, and defenders are reminded to comply with local laws and regulations when taking action.
Learn More.
For a deeper dive into the tactics, techniques, and procedures (TTPs) used by these APT actors—and to access mitigation guidance—visit: CISA’s PRC Cyber Threat Overview and Advisories
