A massive international cybersecurity advisory involving 13 countries has exposed the unprecedented scope of Chinese state-sponsored cyber espionage targeting critical telecommunications infrastructure worldwide.
The National Security Agency (NSA), along with partners including CISA, FBI, and intelligence agencies from the UK, Canada, Australia, and nine other nations, revealed that advanced persistent threat actors linked to China's Ministry of State Security have compromised telecommunications, government, transportation, and military networks globally since at least 2021.
The joint advisory, released on August 26, 2025, directly implicates three China-based technology firms—Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.—in providing cyber products and services to China's intelligence apparatus.
These companies have enabled a global espionage system that overlaps with industry-tracked threats known as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor.
The campaign has already breached at least nine U.S. telecommunications companies, including AT&T, Verizon, T-Mobile, and Lumen Technologies, with attacks extending to telecommunications providers in dozens of countries worldwide.
"The FBI and our partners are committed to sharing threat intelligence and resources to counter PRC-sponsored cyber intrusions," said FBI Assistant Director Brett Leatherman. The hackers successfully accessed private communications of government and political figures, intercepted law enforcement wiretaps, and stole customer call records data.
Technical Exploitation Strategy
Rather than relying on sophisticated zero-day vulnerabilities, the Chinese actors have achieved "considerable success" by exploiting widely known, patchable flaws in network edge devices. Security researchers have identified their primary attack vectors as targeting critical vulnerabilities across major vendors' infrastructure equipment.
 |
| Key vulnerabilities exploited by Salt Typhoon in their global cyberespionage campaigns against critical infrastructure |
The threat actors have weaponised vulnerabilities, including CVE-2024-21887 (Ivanti Connect Secure command injection), CVE-2024-3400 (Palo Alto PAN-OS GlobalProtect RCE), and CVE-2023-20273 and CVE-2023-20198 (Cisco IOS XE authentication bypass and privilege escalation).
These known exploits have allowed attackers to gain access to routing devices, modify access control lists, enable SSH on non-standard ports, and create GRE/IPsec tunnels for persistent access.
The hackers deploy custom malware tools, including JumbledPath—a Go-based ELF binary designed to capture packets remotely via jump-hosts while masking attacker origins.
"The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom," security researchers noted, highlighting the interconnected nature of telecommunications infrastructure vulnerabilities.
Broader Implications for Critical Infrastructure
The advisory warns that compromised telecommunications infrastructure provides Chinese intelligence services with capabilities to "identify and track their targets' communications and movements around the world".
This represents a significant escalation beyond traditional cyber espionage, potentially enabling persistent surveillance of sensitive government communications and critical infrastructure operations.
A telecommunications cellular network tower featuring multiple antenna panels used for wireless communication infrastructure
The scope extends beyond telecommunications, with documented breaches affecting government entities, transportation networks, lodging sectors, and military infrastructure. Security experts emphasise that threat actors leverage compromised devices and trusted connections to pivot into other networks, making any compromised device a potential gateway to additional targets.
CISA Acting Director Madhu Gottumukkala emphasised the urgency:
"By exposing the tactics used by PRC state-sponsored actors and providing actionable guidance, we are helping organisations strengthen their defences and protect the systems that underpin our national and economic security".
Protective Measures and Response
The international advisory provides specific mitigation guidance for network defenders, emphasising immediate patching of known exploited vulnerabilities, enabling centralised logging, and securing edge infrastructure. Organisations are urged to prioritise updating internet-facing systems, implementing phishing-resistant multi-factor authentication, and restricting management services to dedicated networks.
Critical recommendations include disabling legacy features like Cisco Smart Install, enforcing secure protocols such as SSHv2 and SNMPv3, and actively monitoring for unauthorised network changes.
The advisory [PDF] particularly emphasises threat hunting activities, with agencies recommending that organisations "gain a full understanding of the APT actors' accesses before implementing visible incident response and mitigation actions to maximise the chance of achieving full eviction from compromised networks".
The Treasury Department has already imposed sanctions on Sichuan Juxinhe Network Technology Co. and individual cyber actors, while offering rewards up to $10 million for information on foreign government-directed hackers. However, the persistent nature of these attacks underscores the need for immediate defensive action across all critical infrastructure sectors.
Organisations are strongly encouraged to report suspicious activities to CISA via their 24/7 Operations Centre and implement the comprehensive mitigation strategies outlined in the joint advisory to reduce exposure to these ongoing state-sponsored threats.