Executive summary

\n

People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks.

\n

This activity partially overlaps with cyber threat actor reporting by the cybersecurity industry—commonly referred to as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others. The authoring agencies are not adopting a particular commercial naming convention and hereafter refer to those responsible for the cyber threat activity more generically as “Advanced Persistent Threat (APT) actors” throughout this advisory. This cluster of cyber threat activity has been observed in the United States, Australia, Canada, New Zealand, the United Kingdom, and other areas globally.

\n

This Cybersecurity Advisory (CSA) includes observations from various government and industry investigations where the APT actors targeted internal enterprise environments, as well as systems and networks that deliver services directly to customers. This CSA details the tactics, techniques, and procedures (TTPs) leveraged by these APT actors to facilitate detection and threat hunting, and provides mitigation guidance to reduce the risk from these APT actors and their TTPs.

\n

This CSA is being released by the following authoring and co-sealing agencies:

\n

United States National Security Agency (NSA)
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Federal Bureau of Investigation (FBI)
United States Department of Defense Cyber Crime Center (DC3)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (Cyber Centre)
Canadian Security Intelligence Service (CSIS)
New Zealand National Cyber Security Centre (NCSC-NZ)
United Kingdom National Cyber Security Centre (NCSC-UK)
Czech Republic National Cyber and Information Security Agency (NÚKIB) - Národní úřad pro kybernetickou a informační bezpečnost
Finnish Security and Intelligence Service (SUPO) - Suojelupoliisi
Germany Federal Intelligence Service (BND) - Bundesnachrichtendienst
Germany Federal Office for the Protection of the Constitution (BfV) - Bundesamt für Verfassungsschutz
Germany Federal Office for Information Security (BSI) - Bundesamt für Sicherheit in der Informationstechnik
Italian External Intelligence and Security Agency (AISE) - Agenzia Informazioni e Sicurezza Esterna
Italian Internal Intelligence and Security Agency (AISI) - Agenzia Informazioni e Sicurezza Interna
Japan National Cybersecurity Office (NCO) - 国家サイバー統括室
Japan National Police Agency (NPA) - 警察庁
Netherlands Defence Intelligence and Security Service (MIVD) - Militaire Inlichtingen- en Veiligheidsdienst
Netherlands General Intelligence and Security Service (AIVD) - Algemene Inlichtingen- en Veiligheidsdienst
Polish Military Counterintelligence Service (SKW) - Służba Kontrwywiadu Wojskowego
Polish Foreign Intelligence Agency (AW) - Agencja Wywiadu
Spain National Intelligence Centre (CNI) - Centro Nacional de Inteligencia

\n

The authoring agencies strongly urge network defenders to hunt for malicious activity and to apply the mitigations in this CSA to reduce the threat of Chinese state-sponsored and other malicious cyber activity.

\n

Any mitigation or eviction measures listed within are subject to change as new information becomes available and ongoing coordinated operations dictate. Network defenders should ensure any actions taken in response to the CSA are compliant with local laws and regulations within the jurisdictions within which they operate.

\n

Background

\n

The APT actors have been performing malicious operations globally since at least 2021. These operations have been linked to multiple China-based entities, including at least Sichuan Juxinhe Network Technology Co. Ltd. (四川聚信和网络科技有限公司), Beijing Huanyu Tianqiong Information Technology Co., Ltd. (北京寰宇天穹信息技术有限公司), and Sichuan Zhixin Ruijie Network Technology Co., Ltd. (四川智信锐捷网络科技有限公司). These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security. The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world.

\n

For more information on PRC state-sponsored malicious cyber activity, see