Posted on 08/29/2025 10:22:00 AM PDT by MtnClimber
Government agencies from around the world, including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA), shared a new advisory Wednesday warning of China's "global espionage system."
The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The document was cosigned by nations including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain.
The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though they say it partially overlaps with Salt Typhoon. Salt Typhoon is best known for its infamous attacks against global telco infrastructure, including one in the US discovered last year, but China-backed threat actors have run rampant in recent years, targeting organizations with both espionage and pre-positioning for possible future attacks.
CISA's joint advisory dives into the technical nitty-gritty of how these attacks go down, including some previously unknown insights into People's Republic of China (PRC) cyber operations.
How Salt Typhoon (and Its Ilk) Target Networks
According to the advisory, these PRC-linked threat actors are targeting networks in the telecommunications, government, transportation, lodging, and defense sectors, often focusing on compromising large backbone routers, provider and customer edge routers, compromised devices, and trusted connections to move into other networks. Moreover, "these actors often modify routers to maintain persistent, long-term access to networks."
Tracking activity back to 2021, the agencies said the threat actors have had "considerable success" exploiting publicly known vulnerabilities, but no zero-day exploitation observed to date. Such notable flaws include Ivanti Connect Secure and Ivanti Policy Secure Web-component command injection vulnerability CVE-2024-21887; Palo Alto Networks PAN-OS GlobalProtect OS command injection flaw CVE-2024-3400; and Cisco IOS XE vulnerabilities CVE-2023-20273, CVE-2023-20198, and CVE-2018-0171.
Mitigations for all these flaws are available, and defenders are urged to prioritize them due to threat actors' frequent targeting.
Despite the APT focus on routers and similar technologies, the advisory noted that "authoring agencies suspect that the APT actors may target other devices (e.g., Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc.)."
To maintain persistence, the APTs use multiple tactics including modifying Access Control Lists (ACLs) to add IP addresses, opening standard and non-standard ports, enabling SSH servers, opening external-facing ports on network devices, creating tunnels over protocols, enumerating and altering the configuration of other devices on the network, and more.
The list of tactics used to facilitate lateral movement is similarly exhaustive, including everything from capturing network traffic containing credentials via compromised routers to brute-forcing weak credentials.
"Following initial access, the APT actors target protocols and infrastructure involved in authentication — such as Terminal Access Controller Access Control System Plus (TACACS+) — to facilitate lateral movement across network devices, often through SNMP enumeration and SSH," the advisory read. "From these devices, the APT actors passively collect packet capture (PCAP) from specific ISP customer networks."
Mitigating a Typhoon
To address these threats, authoring agencies made a wide range of recommendations. They are extensive because, as the advisory put it, "the malicious activity described in this advisory often involves persistent, long-term access to networks where the APT actors maintain several methods of access."
To protect against these APTs, defenders should monitor for network device configuration changes, monitor virtualized containers for signs of tampering (and that all such containers are authorized), audit network services and tunnels, hunt for actor-favored protocol patterns, check logs, and monitor firmware and software for integrity. The advisory also contains indicators of compromise.
Trey Ford, chief strategy and trust officer at Bugcrowd, says that with this advisory, agencies like CISA are trying to burn China's efforts "in a very public way, driving up the cost and operational overhead of any targeted operations in motion."
Frankie Sclafani, director of cybersecurity enablement at managed detection and response (MDR) vendor Deepwatch, says CISA's advisory is urgent because it highlights the recent "critical shift" from Chinese state-sponsored activity from being purely espionage to something more invasive.
"Instead of just spying, groups like Salt Typhoon are now burrowing deep into critical infrastructure networks worldwide. This isn't just about stealing data; it's about gaining long-term access for potential disruption," Sclafani tells Dark Reading. "Given CISA's unique position and partnerships across government agencies, they have broad insight into these global threats. With Chinese APT activity at a high level of sophistication, the advisory serves as a crucial wake-up call for organizations to hunt and implement recommended mitigations immediately to protect their systems."
Any Cyber Security professionals out there that care to comment?
Are they including the CIA?
Clearly bogus info. 600,000 awaiting Chinese students would agree.
Bkmk
Yes
“Clearly bogus info. 600,000 awaiting Chinese students would agree.”
The fine print of the agreement stipulates the Chinese students must all be Gender Studies or Fine Arts majors.
NSS
They had the wolves inside the chicken coop and paying them to do it. Sigh.
Busy afternoon - got to go ...
The Daily Caller https://dailycaller.com › 2025 › 08 › 28 › its-over-hegseth-severs-chinese-access-to-pentagon-servers-orders-microsoft-probe Pentagon Severs Chinese Access To Cloud Servers, Hegseth Orders ... 1 day agoDefense Secretary Pete Hegseth has severed Chinese contractors' access to Pentagon cloud data systems under a Microsoft project while ordering a wider inquiry into the system, the Secretary announced Wednesday. "The use of Chinese nationals to service Department of Defense cloud environments: It ... • Only include results for this siteHide site from these results • Share feedback about this site ProPublica https://www.propublica.org › article › defense-department-pentagon-microsoft-digital-escort-china Microsoft Stops Using China-Based Engineers for DOD Computer Systems ... Jul 18, 2025Technology Microsoft Says It Has Stopped Using China-Based Engineers to Support Defense Department Computer Systems After a ProPublica investigation revealed how Microsoft's "digital escort ... • Only include results for this siteHide site from these results • Share feedback about this site The Hill https://thehill.com › policy › defense › 5475632-heggeth-halts-chinese-coders Hegseth says Chinese nationals no longer allowed to work on Pentagon cloud 1 day agoThe Defense Secretary said the Department will be shielded from potential cyberattacks. "Microsoft has terminated the use of any China-based engineering teams for DoD cloud systems and we will ... • Only include results for this siteHide site from these results • Share feedback about this site Reuters https://www.reuters.com › world › us › microsoft-stop-using-engineers-china-tech-support-us-military-hegseth-orders-2025-07-18 Microsoft to stop using engineers in China for tech support of US ... Jul 18, 2025Microsoft on Friday said it will stop using China-based engineers to provide technical assistance to the U.S. military after a report in investigative journalism outlet ProPublica sparked ... • Only include results for this siteHide site from these results • Share feedback about this site Ars Technica https://arstechnica.com › security › 2025 › 07 › microsoft-to-stop-using-china-based-teams-to-support-department-of-defense Microsoft to stop using China-based teams to support Department of Defense Jul 26, 2025Offshoring Microsoft to stop using China-based teams to support Department of Defense The tech giant has relied on global workforce to support federal clients. • Only include results for this siteHide site from these results Share feedback about this site PCMag https://www.pcmag.com › news › microsoft-china-based-engineers-will-no-longer-handle-defense-department Microsoft: China-Based Engineers Will No Longer Handle Defense ... Jul 19, 2025Microsoft says it will stop using China-based engineers for work on the US Defense Department government cloud and related services. Frank Shaw, Microsoft's communications lead,
Make it a long and complicated one.
It was ignored in the 1980s, 1990s, and all the 2000s (2000-2025)...
Nothing has ever been done...
Nothing will ever be done...
Isn’t it true that no Chinese can leave the country to engage in any kind of work or study without being a loyal member of the CCP?
Not sure.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.