Chinese State-Sponsored Actors Targeting Global Critical Infrastructure
Summary
Hide β²
Show βΌ
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.
Timeline
-
09.09.2025 03:27 π° 1 articles Β· β± 7d ago
45 Previously Unreported Domains Linked to Salt Typhoon and UNC4841
45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.
Show sources
- 45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage β thehackernews.com β 09.09.2025 03:27
-
28.08.2025 17:04 π° 2 articles Β· β± 19d ago
Salt Typhoon Targets 600 Organizations in 80 Countries
The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices.
Show sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
27.08.2025 15:00 π° 4 articles Β· β± 20d ago
Joint Advisory on Chinese State-Sponsored Actors Targeting Global Critical Infrastructure
The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.
Show sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems β www.cisa.gov β 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
- 45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage β thehackernews.com β 09.09.2025 03:27
Information Snippets
-
The campaign targets critical infrastructure networks globally, including telecommunications, transportation, lodging, and military sectors.
First reported: 27.08.2025 15:00π° 3 sources, 3 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems β www.cisa.gov β 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
Chinese state-sponsored actors exploit vulnerabilities in routers used by telecommunications providers and other infrastructure operators.
First reported: 27.08.2025 15:00π° 3 sources, 3 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems β www.cisa.gov β 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The actors employ tactics to evade detection and maintain persistent access to compromised networks.
First reported: 27.08.2025 15:00π° 3 sources, 3 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems β www.cisa.gov β 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The advisory includes updated threat intelligence from investigations conducted through July 2025.
First reported: 27.08.2025 15:00π° 2 sources, 2 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems β www.cisa.gov β 27.08.2025 15:00
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The advisory reflects overlapping indicators with industry reporting on Chinese state-sponsored threat groups such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor.
First reported: 27.08.2025 15:00π° 3 sources, 4 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems β www.cisa.gov β 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
- 45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage β thehackernews.com β 09.09.2025 03:27
-
Recommended mitigations include patching known exploited vulnerabilities (KEVs), enabling centralized logging, and securing edge infrastructure.
First reported: 27.08.2025 15:00π° 2 sources, 2 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems β www.cisa.gov β 27.08.2025 15:00
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S.
First reported: 28.08.2025 17:04π° 2 sources, 2 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The actors exploit vulnerabilities in devices from Cisco, Ivanti, Palo Alto Networks, Fortinet, Juniper, Microsoft Exchange, Nokia, Sierra Wireless, and Sonicwall.
First reported: 28.08.2025 17:04π° 2 sources, 2 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The actors use GRE tunnels, ACL modifications, and on-box Linux containers for persistent access and data exfiltration.
First reported: 28.08.2025 17:04π° 2 sources, 2 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The actors target edge devices regardless of ownership, using them to pivot into networks of interest.
First reported: 28.08.2025 17:04π° 2 sources, 2 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The actors enable sshd_operns service on Cisco IOS XR devices to gain root access.
First reported: 28.08.2025 17:04π° 2 sources, 2 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The actors collect TACACS+ traffic to capture credentials and enable lateral movement.
First reported: 28.08.2025 17:04π° 2 sources, 2 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The campaign involves Chinese entities Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.
First reported: 28.08.2025 17:04π° 1 source, 1 articleShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
-
The advisory is co-signed by authorities from 13 countries, including Australia, Canada, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, New Zealand, Poland, Spain, the U.K., and the U.S.
First reported: 28.08.2025 17:04π° 2 sources, 2 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide β thehackernews.com β 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments.
First reported: 28.08.2025 23:10π° 1 source, 1 articleShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon.
First reported: 28.08.2025 23:10π° 2 sources, 2 articlesShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
- 45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage β thehackernews.com β 09.09.2025 03:27
-
The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities.
First reported: 28.08.2025 23:10π° 1 source, 1 articleShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls.
First reported: 28.08.2025 23:10π° 1 source, 1 articleShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols.
First reported: 28.08.2025 23:10π° 1 source, 1 articleShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices.
First reported: 28.08.2025 23:10π° 1 source, 1 articleShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity.
First reported: 28.08.2025 23:10π° 1 source, 1 articleShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption.
First reported: 28.08.2025 23:10π° 1 source, 1 articleShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' β www.darkreading.com β 28.08.2025 23:10
-
45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020.
First reported: 09.09.2025 03:27π° 1 source, 1 articleShow sources
- 45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage β thehackernews.com β 09.09.2025 03:27
-
The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020.
First reported: 09.09.2025 03:27π° 1 source, 1 articleShow sources
- 45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage β thehackernews.com β 09.09.2025 03:27
-
The domains were registered using Proton Mail email addresses and fake personas.
First reported: 09.09.2025 03:27π° 1 source, 1 articleShow sources
- 45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage β thehackernews.com β 09.09.2025 03:27
-
The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021.
First reported: 09.09.2025 03:27π° 1 source, 1 articleShow sources
- 45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage β thehackernews.com β 09.09.2025 03:27
-
The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.
First reported: 09.09.2025 03:27π° 1 source, 1 articleShow sources
- 45 Previously Unreported Domains Expose Longstanding Salt Typhoon Cyber Espionage β thehackernews.com β 09.09.2025 03:27
Similar Happenings
UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.
Akira Ransomware Group Exploits SonicWall SSL VPN Flaws
The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.
Salty2FA Phishing Kit Demonstrates Enterprise-Level Sophistication
The Salty2FA phishing kit has evolved to incorporate enterprise-grade features, making it difficult to distinguish from legitimate software. The kit's advanced capabilities include subdomain rotation, abuse of legitimate platforms, dynamic corporate branding, MFA mimicry, and sophisticated defense evasion tactics. Ontinue researchers tracked a campaign using Salty2FA, observing its technical innovations and how it mimics legitimate enterprise systems. The campaign impersonated a known business using a trial account on Aha.io and deployed a OneDrive sharing page as the initial attack vector. The kit's infrastructure supports dynamic branding and advanced evasion techniques, making it challenging for security teams to detect and mitigate. The kit's advanced features include geo-blocking, ASN/IP filtering, and JavaScript-based anti-debugging, which hinder the efforts of security researchers and SOC teams. The Salty2FA phishing kit targets industries including finance, energy, healthcare, government, logistics, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. Salty2FA campaigns have been active since late July 2025, generating dozens of fresh analysis sessions daily. The kit uses a multi-stage execution chain, including email lures, redirects to fake login pages, credential theft, and 2FA bypass techniques. Salty2FA employs Cloudflare checks to bypass automated filters and uses fake Microsoft-branded login pages to steal credentials. The kit intercepts push, SMS, and voice-based 2FA codes, leading to account takeovers. ANY.RUN sandbox analysis provides full-chain visibility of Salty2FA attacks, revealing behavioral patterns and reducing analyst workload. Defenders are advised to adopt advanced, layered protection and a behavioral-oriented approach to counter these evolving threats.
Increased network scans target Cisco ASA devices
Cisco ASA devices are experiencing a surge in network scans, raising concerns about potential exploitation of new vulnerabilities. Two significant scanning spikes were recorded in late August 2025, with up to 25,000 unique IP addresses probing ASA login portals and Cisco IOS Telnet/SSH. The scans predominantly targeted the United States, UK, and Germany. The activity is likely reconnaissance for future attacks, possibly exploiting new or already-patched vulnerabilities. The scans were largely driven by a Brazilian botnet, using overlapping Chrome-like user agents, suggesting a common origin. System administrators are advised to apply the latest security updates, enforce multi-factor authentication, and use additional access controls to mitigate risks.
Salesloft Disables Drift Following OAuth Token Theft
Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.