CISA and partner agencies have issued a sharply worded joint Cybersecurity Advisory warning that People’s Republic of China (PRC) state‑sponsored Advanced Persistent Threat (APT) actors have been compromising global telecommunications and critical‑infrastructure networks by targeting provider‑edge and customer‑edge routers, modifying firmware and configurations to establish long‑term, stealthy access used for widescale espionage. This advisory — compiled with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners — synthesizes months of multinational investigation and supplements earlier public reporting about the activity widely tracked in industry as “Salt Typhoon” and by a number of other aliases. The technical emphasis is clear: threat actors are moving beyond commodity server intrusions into the plumbing of global networks, where visibility is limited and persistence can be maintained for years.
The joint advisory updates and consolidates previously published guidance about PRC‑affiliated activity that targets network infrastructure. Over the past 18 months, public and private reporting documented intrusions into major telecommunications providers and critical third‑party equipment, followed by deeper analysis revealing that attackers exploited routers, network management interfaces, and other edge devices to intercept, monitor, and persistently access traffic flows. The new joint advisory builds on that body of work and presents tactical detection and mitigation guidance targeted at network defenders, communications‑service providers, and critical infrastructure operators. Industry shorthand — for example, “Salt Typhoon” (Microsoft’s name for a cluster of activity, also tracked as GhostEmperor, FamousSparrow, and others) — appears in open reporting. The advisory avoids repeating vendor labels and instead focuses on behaviors and techniques, a helpful approach for defenders who must hunt activity that will likely change names and tooling. Public reporting and government materials increasingly link these operations to specific China‑based companies alleged to provide services to Chinese intelligence and military customers; those attributions are reflected in the joint advisory and by allied press reporting. (reuters.com)
Source: CISA CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems | CISA
Background / Overview
The joint advisory updates and consolidates previously published guidance about PRC‑affiliated activity that targets network infrastructure. Over the past 18 months, public and private reporting documented intrusions into major telecommunications providers and critical third‑party equipment, followed by deeper analysis revealing that attackers exploited routers, network management interfaces, and other edge devices to intercept, monitor, and persistently access traffic flows. The new joint advisory builds on that body of work and presents tactical detection and mitigation guidance targeted at network defenders, communications‑service providers, and critical infrastructure operators. Industry shorthand — for example, “Salt Typhoon” (Microsoft’s name for a cluster of activity, also tracked as GhostEmperor, FamousSparrow, and others) — appears in open reporting. The advisory avoids repeating vendor labels and instead focuses on behaviors and techniques, a helpful approach for defenders who must hunt activity that will likely change names and tooling. Public reporting and government materials increasingly link these operations to specific China‑based companies alleged to provide services to Chinese intelligence and military customers; those attributions are reflected in the joint advisory and by allied press reporting. (reuters.com)What the advisory says — headline findings
Targeting and scope
- PRC‑affiliated APT actors have focused on telecommunications providers (including both broadband and carrier infrastructure), government networks, transportation, lodging (hotels), and defense‑adjacent organizations. These sectors are attractive because compromising a provider’s edge devices can yield vast amounts of metadata and, in some cases, content. (cyber.gc.ca)
- The actors preferentially target provider‑edge and customer‑edge routers and network devices that frequently lack centralized monitoring. Those devices — often labelled provider edge (PE) or customer edge (CE) — sit where networks connect to the wider internet or other service providers and thus provide a vantage point over aggregated traffic flows. (cisa.gov)
- Investigations through July 2025 indicate persistent, long‑term access across multiple countries; public press accounts cite intrusions affecting scores of countries and a broad swath of organizations. Some outlets report impacts measured in the millions of call records and dozens of countries; these high‑level figures are reported by U.S. law‑enforcement sources and major press outlets. Readers should treat specific global tallies as provisional as investigations continue. (wsj.com)
Tactics, techniques, and procedures (TTPs)
- The advisory emphasizes exploitation of publicly disclosed vulnerabilities and automated scanning to find unpatched edge devices. Attackers have been observed leveraging open‑source router exploitation frameworks (such as RouterSploit and RouterScan) and then transitioning to customized tooling to maintain stealth. (jdsupra.com)
- Operators commonly modify router firmware or configuration to hide backdoors and to create covert proxying or encrypted tunnels that survive reboots or administrative change. These firmware and configuration changes make forensic detection difficult because many enterprise monitoring solutions do not verify the integrity of router firmware or device configuration at scale. (cisa.gov)
- Once established, actors use the compromised infrastructure to collect metadata, intercept communications, and exfiltrate information. There are credible reports that law‑enforcement intercept systems and court‑authorized wiretap interfaces were among systems accessed in some intrusions, significantly raising the sensitivity of the intelligence gains. (wsj.com)
Why router and edge device compromise matters
Edge infrastructure is the network equivalent of a control room. While servers and endpoints are commonly monitored and patched, routers, switches, and network appliances — particularly those installed in remote facilities or run by third parties — often receive less operational attention. A compromised edge device gives an adversary several high‑value capabilities:- Visibility into aggregated subscriber traffic flows and metadata.
- Ability to route, replicate, or mirror communications for collection.
- Covert persistence in hardware that may be outside standard host‑based security tooling.
- Anonymized and encrypted staging points that obfuscate attacker origin.
Cross‑checked facts and what’s verifiable
The joint advisory (coauthored by CISA, NSA, and FBI) and allied national cybersecurity centers present consistent technical observations:- Attackers exploit edge devices and router firmware/configuration. (cisa.gov)
- Open‑source scanning and exploitation frameworks are part of the reconnaissance and initial‑access chain.
- The activity overlaps with industry reporting on groups called Salt Typhoon and related aliases. (industrialcyber.co)
Source: CISA CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems | CISA
