Nation-state actors continue to sharpen their tools and broaden their reach. A newly released Joint Cybersecurity Advisory (CSA) from NSA, CISA, FBI, and allied partners around the world details how Chinese state-sponsored threat actors are compromising telecommunications, government, transportation, lodging, and even military infrastructure networks across the globe.
These operations, which overlap with industry-tracked groups such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, focus on large backbone routers, provider edge devices, and customer edge routers. Once inside, adversaries use trusted connections to pivot into additional networks, modifying configurations to maintain long-term, persistent access.
What the Advisory Reveals
The advisory lays out the tactics, techniques, and procedures (TTPs) used by these actors, mapped to the MITRE ATT&CK framework. Key points include:
-
Initial Access: Exploitation of well-known CVEs (including Ivanti, Palo Alto, and Cisco vulnerabilities such as CVE-2023-20198 and CVE-2024-3400). Zero-day use has not been observed to date.
-
Persistence: Modifying Access Control Lists, enabling SSH on high non-standard ports, creating covert GRE/IPsec tunnels, and even deploying Linux containers (Cisco Guest Shell) on routers to stage tools and hide activity.
-
Lateral Movement & Collection: Capturing authentication traffic (TACACS+/RADIUS), reconfiguring routers to redirect to attacker-controlled infrastructure, and leveraging packet capture capabilities to steal sensitive data.
-
Exfiltration: Abuse of peering connections, tunneling through GRE/IPsec, and hiding traffic within high-volume nodes to smuggle stolen data.
The CSA includes hundreds of IP-based indicators of compromise (IOCs) tied to this malicious activity, with records dating back to 2021. While not all addresses are likely still in use, defenders are urged to hunt, detect, and validate activity before taking mitigation steps.
Critical Path Security’s Zeek Threat Intelligence Feed
At Critical Path Security, we believe that sharing intelligence in actionable, operational formats is the only way to keep pace with sophisticated adversaries. To support defenders, we have published a Zeek-compatible threat intelligence feed containing the IP addresses disclosed in the CSA.
This feed allows organizations running Zeek (formerly Bro) to automatically ingest these indicators into their detection pipelines. By doing so, defenders can flag, alert, and investigate potential communication with the infrastructure linked to these state-sponsored espionage campaigns.
Why This Matters
China’s intelligence services are not just collecting information—they are positioning for global advantage by embedding themselves deep within the backbone of our communications networks. This activity is not hypothetical. It is ongoing, multi-year, and global.
Defenders in telecommunications, critical infrastructure, and beyond must:
-
Review configurations for unauthorized ACLs, tunnels, or account creation.
-
Prioritize patching for network-edge vulnerabilities identified in the advisory.
-
Deploy threat intelligence feeds—such as our Zeek integration—to detect and investigate IOC matches in real-time.
-
Harden device management by isolating control planes, restricting SNMP, and disabling unused services.
Moving Forward
The battle for visibility and control of critical networks is accelerating. At Critical Path Security, we will continue to provide operationalized intelligence—not just reports—to ensure defenders can translate alerts into action.
The Zeek feed is immediately available to our partners and clients. If your organization would like to leverage this data, or if you need assistance with network defense, IOC integration, or incident response, contact us.
Together, we can ensure that the world’s backbone networks remain resilient against adversaries determined to exploit them.