NSA and allies warn that Chinese APT actors, including Salt Typhoon, are targeting critical infrastructure worldwide.The U.S. National Security Agency (NSA), the UK’s National Cyber Security Centre (NCSC), and allies warn Chinese APT actors, linked to Salt Typhoon, are targeting global telecom, government, transport, lodging, and military sectors.“The National Security Agency (NSA) and other U.S. and foreign organizations are releasing a joint Cybersecurity Advisory to expose advanced persistent threat (APT) actors sponsored by the Chinese government targeting telecommunications, government, transportation, lodging, and military infrastructure networks globally and outline appropriate mitigation guidance.” reads the report published by NSA. “The malicious activity outlined in the advisory partially overlaps with cybersecurity industry reporting on Chinese state-sponsored threat actors referred to by names such as Salt Typhoon.”A joint Cybersecurity Advisory (CSA) (“Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,”) published by the intelligence and cybersecurity agencies has linked these malicious activities to multiple China-based entities, including Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.. These Chinese tech firms provide cyber products and services to China’s Ministry of State Security and People’s Liberation Army.The “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” provides details on tactics, techniques, and procedures (TTPs) associated with these nation-state actors.“This activity partially overlaps with cyber threat actor reporting by the cybersecurity industry — commonly referred to as Salt Typhoon, OPERATOR PANDA, RedMike,UNC5807, and GhostEmperor, among others.”Chinese APT actors gain initial access by exploiting known CVEs and weak configurations, not using zero-day exploits. They adapt tactics as new flaws emerge and mitigations are applied, likely expanding to devices like Fortinet, Juniper, Microsoft Exchange, Nokia, Sierra Wireless, and SonicWall. Defenders are urged to prioritize patching historically exploited CVEs, especially on exposed network edge devices.Some of the exploited vulnerabilities are:CVE-2024-21887 – Ivanti Connect Secure and Ivanti Policy Secure web-component command injection vulnerability, commonly chained after CVE-2023-46805 (authentication bypass).CVE-2024-3400 – Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection. The CVE allows for unauthenticated remote code execution (RCE) on firewalls when GlobalProtect is enabled on specific versions/configurations.CVE-2023-20273 – Cisco Internetworking Operating System (IOS) XE software web management user interface post-authentication command injection/privilege escalation (commonly chained with CVE-2023-20198 for initial access to achieve code execution as root).CVE-2023-20198 – Cisco IOS XE web user interface authentication bypass vulnerability.CVE-2018-0171 – Cisco IOS and IOS XE smart install remote code execution vulnerabilityThe nation-state actors use VPSs and compromised routers to target telecoms and ISPs, often exploiting edge devices, even those outside primary targets, to pivot into networks. They abuse trusted interconnections, alter routing, enable traffic mirroring, and set up GRE/IPsec tunnels. Large-scale exploitation across many IPs is common, with repeated access attempts. The government experts state that initial access methods remain unclear; they urge organizations to report compromise details to improve defenses.The Chinese APTs maintain persistence by modifying ACLs to bypass security, opening standard/non-standard ports for remote access, and enabling/abusing SSH or HTTP/HTTPS services. They execute commands via SNMP, use stolen credentials, Tcl scripts, and configure GRE/IPsec tunnels to establish covert communication channels. On Cisco devices, they exploit Linux Guest Shell containers to stage tools, run Python, and move laterally undetected. They also use pivoting tools like STOWAWAY for C2 and data exfiltrationChinese APT actors conduct lateral movement by exploiting authentication protocols (TACACS+, RADIUS), SNMP, and SSH to pivot across network devices. They collect configs, routing data (BGP, MPLS), subscriber/customer records, and capture network traffic (PCAP) to harvest credentials—often via Cisco’s Embedded Packet Capture or by redirecting TACACS+ to actor-controlled servers. They create new accounts, reuse/brute-force weak credentials, run privileged SNMP/SSH/HTTP commands, update routing tables, and configure tunnels. To stay hidden, they disable or clear logs, revert configs, and even use Cisco Guest Shell containers to stage tools and avoid detection.Chinese APT actors exploit peering connections, direct inter-network links without intermediaries, to exfiltrate data, often bypassing policy controls. They use multiple command and control channels to mask data theft within high-traffic areas like proxies and NAT pools. Encrypted tunnels such as IPsec and GRE conceal command and exfiltration activities, complicating detection and mitigation efforts.“The authoring agencies encourage network defenders of critical infrastructure organizations, especially telecommunications organizations, to perform threat hunting, and, when appropriate, incident response activities.” concludes the advisory. “If malicious activity is suspected or confirmed, organizations should consider all mandatory reporting requirements to relevant agencies and regulators under applicable laws and regulations, and any additional voluntary reporting to appropriate agencies, such as cybersecurity or law enforcement agencies who can provide incident response guidance and assistance with mitigation.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Chinese APT actors)