A sweeping cyber espionage operation by Chinese state-sponsored actors has compromised networks across more than 80 countries according to a joint cybersecurity advisory released by international intelligence agencies last week.

The multi-year campaign, represents "China's most ambitious" cyber operation to date, targeting telecommunications companies, government agencies, transportation networks, lodging providers, and military infrastructure globally, according to the advisory published by the Australian Signals Directorate and 18 international partner agencies.

The threat actors have been conducting malicious operations since at least 2021, linked to multiple China-based technology companies. These companies provide cyber-related products and services to China's intelligence services, including units in the People's Liberation Army and Ministry of State Security.

The operation demonstrates sophisticated tactics including modifying router configurations to maintain persistent, long-term network access and using virtualized containers on network devices to evade detection. The actors exploit publicly known common vulnerabilities and exposures (CVEs) rather than zero-day exploits, achieving "considerable success" through unpatched systems.

“This activity partially overlaps with cyber threat actor reporting by the cybersecurity industry - commonly referred to as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others,” the advisory states.

“The authoring agencies are not adopting a particular commercial naming convention and hereafter refer to those responsible for the cyber threat activity more generically as “Advanced Persistent Threat (APT) actors” throughout this advisory. This cluster of cyber threat activity has been observed in the United States, Australia, Canada, New Zealand, the United Kingdom, and other areas globally.”

Infrastructure and Authentication Systems Targeted

The attacks leverage infrastructure, such as virtual private servers (VPSs) and compromised intermediate routers, that have not been attributable to a publicly known botnet or obfuscation network infrastructure to target telecommunications and network service providers, including ISPs. 

“The actors leverage compromised devices and trusted connections or private interconnections (e.g., provider-to-provider or provider-to-customer links) to pivot into other networks

“The actors often maintain access for extended periods while conducting large-scale data exfiltration, making detection and remediation complex.”

The advisory emphasizes that organizations should prioritize patching known exploited CVEs and implement robust change management processes for network device configurations. Critical recommendations include disabling unused ports and protocols, implementing management-plane isolation, and using strong cryptographic authentication methods.

The joint advisory represents an unprecedented level of international cooperation, with agencies from the United States, Australia, Canada, New Zealand, United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, Netherlands, Poland, and Spain contributing to the investigation.

"In many ways, Salt Typhoon marks a new chapter," Jennifer Ewbank, former CIA deputy director for digital innovation, told The New York Times.

"Today, we see patient, state-backed campaigns burrowed deep into the infrastructure of more than 80 countries, characterized by a high level of technical sophistication, patience and persistence."

The campaign builds on previous Chinese cyber operations but demonstrates evolved techniques focused on telecommunications infrastructure rather than traditional enterprise targets. Security experts view this as evidence that China's cyber capabilities now rival those of the United States and its allies.

Organizations experiencing potential compromise are urged to contact appropriate cybersecurity authorities and implement comprehensive threat hunting activities focusing on configuration changes, virtualized containers, network services, and firmware integrity.

The full technical advisory, including detailed indicators of compromise and mitigation guidance, is available here.