The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the NSA, FBI, and several international partners, has released a major cybersecurity advisory exposing a global espionage campaign conducted by state-sponsored hackers from the People’s Republic of China (PRC). These operations are targeting critical infrastructure networks around the world.
The 37-page document, “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” highlights the advanced tactics, techniques, and procedures (TTPs) used by these APT groups to compromise and maintain long-term access to government, military, telecom, and transportation systems.
Key Highlights
- The advisory applies MITRE ATT&CK and D3FEND frameworks to counter Chinese APT activities.
- It recommends enforcing management isolation, disabling risky features, and requiring strong authentication.
- It stresses patching critical vulnerabilities, enabling detailed logging, and prioritizing coordinated threat hunting.
These cyber actors, known under industry names such as “Salt Typhoon” and “GhostEmperor,” have been active since at least 2021. Their goal is to exfiltrate data that enables Chinese intelligence services to track communications and movements of high-value global targets.
Links to Chinese Tech Companies
The investigation also points to direct ties with Chinese firms, including Sichuan Juxinhe Network Technology Co. Ltd., which allegedly supports China’s military and intelligence operations.
Exploiting Known Vulnerabilities
Unlike many sophisticated campaigns, these actors are not relying on zero-day exploits. Instead, they achieve significant success by abusing publicly known, unpatched vulnerabilities (CVEs) in widely used systems.
Targeted CVEs
| CVE | Vendor/Product | Details |
|---|---|---|
| CVE-2024-21887 | Ivanti Connect Secure, Ivanti Policy | Command injection flaw, often chained with CVE-2023-46805 for authentication bypass. |
| CVE-2024-3400 | Palo Alto Networks PAN-OS GlobalProtect | Unauthenticated RCE via arbitrary file creation leading to OS command injection. |
| CVE-2023-20273 | Cisco IOS XE | Post-authentication command injection and privilege escalation, often paired with CVE-2023-20198. |
| CVE-2023-20198 | Cisco IOS XE | Authentication bypass in web UI enabling unauthorized admin accounts. |
| CVE-2018-0171 | Cisco IOS and IOS XE | RCE vulnerability in the Smart Install feature. |
Living-Off-the-Land Tactics
After initial access, attackers rely on living off the land strategies, abusing built-in tools within routers and firewalls to hide and persist. Techniques include:
- Modifying ACLs (Access Control Lists).
- Capturing traffic to steal credentials.
- Using on-box Linux containers like Cisco’s Guest Shell to deploy hidden tools.
They create covert tunnels, reroute traffic, and clear logs, making detection extremely difficult.
Global Collaboration and Threat-Hunting Guidance
The advisory is backed by agencies from Australia, Canada, UK, New Zealand, Germany, Japan, Italy, and Poland. It provides practical threat-hunting recommendations, including:
- Monitoring unauthorized configuration changes and unusual tunnels (GRE, IPsec).
- Auditing virtualized containers for hidden activity.
- Verifying firmware/software against vendor-provided hashes.
- Implementing centralized logging with secure storage.
Mitigation Recommendations
To harden defenses, the guide suggests:
- Disabling unused ports and services.
- Strict management-plane isolation.
- Enforcing strong and unique credentials.
- Replacing insecure legacy protocols (Telnet, SNMPv1/v2) with secure alternatives.
Why This Advisory Matters
This advisory not only provides strategic defense guidance but also includes specific indicators of compromise (IOCs) such as malicious IP addresses and YARA rules for detecting Chinese malware.
CISA and its partners urge organizations, particularly in the telecom sector, to actively hunt for malicious activity and strengthen defenses against this ongoing global espionage threat.
