External Attack Surface Management and Digital Risk Protection

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.

Chinese cyber espionage groups Murky Panda, Genesis Panda, and Glacial Panda have escalated their activities targeting cloud and telecom sectors. Murky Panda exploits trusted cloud relationships and zero-day vulnerabilities to breach enterprise networks. They also compromise cloud service providers to gain access to downstream customer environments. Genesis Panda targets cloud services for lateral movement and persistence. Glacial Panda focuses on telecom organizations to exfiltrate call detail records and related telemetry. Murky Panda, also known as Silk Typhoon, has been active since at least 2021, targeting government, technology, academic, legal, and professional services entities in North America. They exploit internet-facing appliances, SOHO devices, and known vulnerabilities in Citrix and Commvault to gain initial access. They deploy web shells and custom malware like CloudedHope to maintain persistence. Genesis Panda, active since January 2024, targets financial services, media, telecommunications, and technology sectors across 11 countries. They exploit cloud-hosted systems for lateral movement and persistence, using compromised credentials to burrow deeper into cloud accounts. Glacial Panda has seen a 130% increase in activity targeting the telecom sector, focusing on Linux systems and legacy operating systems. They exploit known vulnerabilities and weak passwords to gain access and deploy trojanized OpenSSH components for credential harvesting.

A threat group, tracked as Storm-0501, compromised hybrid cloud environments in a campaign targeting government, manufacturing, transportation, law enforcement, schools, and healthcare sectors. The group exploited compromised credentials and overprivileged accounts to move between cloud and on-premise environments. The campaign aimed to generate revenue through a ransomware affiliate scheme. The attack highlights the challenges companies face in maintaining consistent security postures across multicloud and hybrid-cloud environments. Over 75% of companies use multiple cloud providers, exposing high-value assets to potential attacks. The incident underscores the need for unified security platforms and consistent policies to disrupt attack chains and improve visibility across environments. Storm-0501 has utilized various ransomware-as-a-service (RaaS) strains, including Embargo, Hunters International, Hive, BlackCat/ALPHV, LockBit, and Sabbath. The group has evolved its tactics to exploit weak credentials for lateral movement from on-premises to cloud environments, achieving cloud-based ransomware impact through cloud privilege escalation and exploiting visibility gaps. The group uses access brokers like Storm-0249 and Storm-0900 for initial access and exploits vulnerabilities in Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016. Storm-0501 employs Evil-WinRM and DCSync attacks for lateral movement and credential extraction, targeting non-human identities with Global Admin roles lacking MFA for privilege escalation. The group registers a threat actor-owned Entra ID tenant as a trusted federated domain to create a backdoor and initiates mass-deletion of Azure resources post-exfiltration to prevent data recovery. Microsoft has updated Entra ID and Entra Connect to mitigate Storm-0501's tactics and recommends enabling TPM on Entra Connect Sync servers for enhanced security.