CyberHappenings logo
☰
🏠 Home 📂 Browse ℹī¸ About

Chinese State-Sponsored Actors Compromise Global Critical Infrastructure Networks

First reported
Last updated
📰 4 unique sources, 6 articles

Summary

Hide ▲

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.

Timeline

  1. 09.09.2025 03:27 📰 1 articles

    Discovery of 45 Previously Unreported Domains Linked to Salt Typhoon

    On September 9, 2025, threat hunters discovered 45 previously unreported domains associated with the Chinese state-sponsored APT group Salt Typhoon and UNC4841. The oldest domain registration activity dates back to May 2020, indicating that Salt Typhoon's activities began earlier than previously known. The domains share some level of overlap with UNC4841, known for exploiting a security flaw in Barracuda Email Security Gateway appliances (CVE-2023-2868). Salt Typhoon has been active since at least 2019, with similarities to Earth Estries, FamousSparrow, GhostEmperor, and UNC5807. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. Organizations are urged to search their DNS logs for requests to these domains or their subdomains, as well as to check for requests to the listed IP addresses during the periods when these actors operated them.

    Show sources
    Open in new tab
  2. 04.09.2025 23:04 📰 2 articles

    Czech Republic Issues Warning on Data Transfers to China

    On September 4, 2025, the Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China. The warning highlights concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. CrowdStrike reported a 150% year-over-year increase in Chinese intrusion activity and a 40% jump in cloud-targeting operations. The Czech warning advises individuals and organizations to restrict or prohibit the use of products and services that transfer data to China. The concerns extend beyond privacy to national resilience and the ability to recover from digital disruptions. On September 7, 2025, NUKIB reassessed the risk of significant disruptions caused by China, rating it as 'High'. The agency confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. NUKIB also warns about the risk posed by consumer devices manufactured by Chinese firms, which can transfer potentially sensitive data to Chinese infrastructure. The warning emphasizes the need for critical infrastructure organizations to include the threat in their risk analysis and decide on measures to mitigate it.

    Show sources
    Open in new tab
  3. 27.08.2025 15:00 📰 3 articles

    CISA, NSA, FBI, and Partners Release Joint Advisory on Chinese State-Sponsored APT Campaign

    On August 27, 2025, CISA, NSA, FBI, and international partners released a joint advisory detailing an ongoing campaign by Chinese state-sponsored APT actors to compromise critical infrastructure networks worldwide. The advisory provides updated threat intelligence and actionable mitigations to help organizations defend against these sophisticated cyber threats. The advisory highlights the tactics used by these actors, including exploitation of router vulnerabilities and evasion techniques, and reflects overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. The advisory was co-signed by authorities from 13 countries, including Australia, Canada, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, New Zealand, Poland, Spain, the U.K., and the U.S. This reflects a coordinated global effort to address the threat posed by Salt Typhoon. The article provides detailed insights into the activities of the Salt Typhoon group, confirming that the group has been active since at least 2021, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. Salt Typhoon exploits vulnerabilities in edge network devices from various vendors, modifies routers for persistent access, and uses authentication protocols for lateral movement. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The advisory highlights that the APT actors use multiple tactics including modifying Access Control Lists (ACLs) to add IP addresses, opening standard and non-standard ports, enabling SSH servers, opening external-facing ports on network devices, creating tunnels over protocols, enumerating and altering the configuration of other devices on the network, and more. The advisory lists specific vulnerabilities exploited by the APT actors, including Ivanti Connect Secure and Ivanti Policy Secure Web-component command injection vulnerability CVE-2024-21887, Palo Alto Networks PAN-OS GlobalProtect OS command injection flaw CVE-2024-3400, and Cisco IOS XE vulnerabilities CVE-2023-20273, CVE-2023-20198, and CVE-2018-0171. The advisory recommends monitoring network device configuration changes, monitoring virtualized containers for signs of tampering, auditing network services and tunnels, hunting for actor-favored protocol patterns, checking logs, and monitoring firmware and software for integrity to protect against these APTs.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign

The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.

Open in new tab

Increased network scans targeting Cisco ASA devices observed

In late August 2025, a significant surge in network scans targeting Cisco ASA devices was observed. The scans, originating from up to 25,000 unique IP addresses, probed ASA login portals and Cisco IOS Telnet/SSH. The activity was largely driven by a Brazilian botnet using overlapping Chrome-like user agents. The scans predominantly targeted the United States, with notable activity also seen in the UK and Germany. The scans may indicate reconnaissance efforts for exploiting new vulnerabilities. System administrators are advised to apply the latest security updates, enforce multi-factor authentication, and avoid exposing sensitive endpoints directly. Additional measures include using VPN concentrators, reverse proxies, or access gateways to enforce access controls and blocking known malicious IP addresses.

Open in new tab

Kazakhstan's KazMunayGas Phishing Test Mistaken for Noisy Bear Campaign

Kazakhstan's state-owned oil and gas company KazMunayGas conducted a phishing test in May 2025, which was initially misinterpreted as a cyber espionage campaign by a new threat group named Noisy Bear. The test involved phishing emails targeting KazMunayGas employees with fake documents related to internal communications and policy updates. The phishing emails were sent from a compromised internal email address and included a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file with instructions. The campaign was designed to mimic official internal communications and included themes such as policy updates, internal certification procedures, and salary adjustments. The phishing test was conducted to train employees on identifying and responding to phishing attempts. However, it was mistakenly reported as a cyber espionage campaign by Seqrite Labs, which attributed the activity to a new threat group tracked as Noisy Bear. The threat actor was believed to be of Russian origin and had been active since at least April 2025. The misinterpretation led to speculation about the involvement of a new threat group and the use of sophisticated malware, including a PowerShell loader dubbed DOWNSHELL and a DLL-based implant. The threat actor used a compromised email address belonging to a KazMunayGas finance department employee to send phishing emails. The phishing emails impersonated mundane company business, including reviewing work schedules, incentive systems, and wages. The phishing emails contained a ZIP file with a decoy document and a shortcut (LNK) file named "Salary Schedule.lnk." The LNK file downloaded a batch script, which retrieved the attackers' PowerShell loader named DownShell. DownShell consists of two scripts: one for anti-analysis by undermining the Windows Antimalware Scan Interface (AMSI), and another for CreateRemoteThread Injection to establish a reverse shell. Noisy Bear used a sanctioned Russian bulletproof hosting provider, Aeza Group, to maintain its infrastructure. The threat activity carries geopolitical implications, targeting Kazakhstan's largest oil and gas company, which is state-owned and a significant economic entity. Seqrite Labs found infrastructure and tooling overlaps across other Central Asian attacks, indicating a broader campaign. The incident highlights the importance of clear communication and coordination between cybersecurity researchers and organizations to avoid misinterpretations and ensure accurate reporting of cyber threats.

Open in new tab

Multi-year phishing-as-a-service operation on Google Cloud and Cloudflare

A large-scale phishing-as-a-service (PhaaS) operation has been running undetected for over three years on Google Cloud and Cloudflare platforms. The scheme involved 48,000 hosts and 80 clusters, using expired domains to impersonate high-profile brands and deliver malware and gambling content. The operation exposed companies to regulatory and legal risks and victims to credential theft and data exposure. The campaign was discovered by Deep Specter Research, which found that the operation used cloaking techniques to manipulate search engine rankings and hide illicit content. The infrastructure included 86 physical IP addresses on Google Cloud in Hong Kong and Taiwan, along with 44,000 virtual IP addresses from Google Cloud and 4,000 from other providers. The operation impacted 200 known organizations, including Fortune 500 companies. The discovery highlights the need for companies to actively monitor and secure their expired or dormant domains to prevent such abuses.

Open in new tab

Iranian Homeland Justice Group Targets Global Embassies in Phishing Campaign

An Iranian-aligned group, Homeland Justice, has conducted a coordinated, multi-wave spear-phishing campaign targeting embassies and consulates in Europe and other regions. The campaign involves sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware. The phishing emails exploit geopolitical tensions and use compromised email accounts to send malicious Microsoft Word documents. The malware establishes persistence, contacts a command-and-control server, and harvests system information. The campaign is part of a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension. The campaign began on August 19, 2025, and targeted around four dozen embassies, consulates, and government ministries globally, as well as various international organizations. The campaign is assessed to have concluded shortly after it began, with the attackers' command-and-control infrastructure appearing inactive.

Open in new tab