CISA Warns of Global Chinese State-Sponsored Cyber Espionage Campaign Targeting US, UK, More
Published on August 28, 2025
- Chinese Hackers: A new advisory reveals widespread cyberespionage activity by a Chinese state-sponsored threat actor.
- Operation details: Known flaws are often exploited by these hackers in order to gain access and exfiltrate data.
- The targets: The APT group is targeting several countries worldwide, including the U.S., the U.K., Australia, and Canada.
A widespread campaign by Chinese state-sponsored cyber actors targets global telecommunications, government, and transportation networks to support a global espionage system. Technical details on the threat actors' tactics, techniques, and procedures (TTPs) are provided in a new advisory.
A coalition of international cybersecurity agencies, led by CISA, has issued Cybersecurity Advisory AA25-239A.
Exploitation Tactics
The activity cluster partially overlaps with Advanced Persistent Threat (APT) actor reporting of Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others, and has been observed in the U.S., the U.K., Australia, Canada, New Zealand, and other nations globally.
The advisory notes that threat actors have not been observed using zero-day exploits; instead, they focus on unpatched, publicly known weaknesses to gain initial access.
Key exploited CVEs include vulnerabilities in:
- Ivanti Connect Secure authentication bypass – CVE-2024-2188
- Palo Alto Networks PAN-OS remote code execution (RCE) flaw – CVE-2024-3400
- Cisco IOS XE command injection/privilege escalation flaw – CVE-2023-20273
- Cisco IOS XE web user interface authentication bypass vulnerability – CVE-2023-20198
- Cisco IOS and IOS XE smart install remote code execution vulnerability – CVE-2018-0171
The APT actors exploit virtual private servers (VPSs), compromised intermediate routers, and infrastructure “that has not been attributable to a publicly known botnet or obfuscation network” to target telecommunications and network service providers, including ISPs.
Once inside a network, the actors establish long-term persistence and move laterally by modifying router configurations, creating unauthorized administrative accounts, and targeting protocols and infrastructure involved in authentication.
To exfiltrate data, the Chinese state-sponsored group leverages trusted connections, such as peering connections, and pivots into other networks, often using techniques like traffic mirroring and creating GRE/IPsec tunnels.
The primary goal is to collect sensitive information, including subscriber data, network configurations, and user credentials, which are then exfiltrated to actor-controlled infrastructure.
Mitigation Strategies and Defensive Recommendations
To counter this threat, organizations should prioritize patching vulnerable edge devices, hardening network configurations, and implementing robust logging and monitoring. Specific mitigations include isolating management planes, enforcing strong authentication protocols like SNMPv3, and disabling unused ports and services.
Network defenders are advised to hunt for unusual activity, such as unexpected tunnels or configuration changes, to detect and evict these persistent actors.
In July, TechNadu reported that Salt Typhoon had infiltrated the U.S. National Guard systems for almost a year. The APT was also linked to the Viasat hack. This month, a China-nexus espionage campaign targeting diplomats was attributed to UNC6384.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular