CISA, FBI, NSA Warn of Chinese 'Global Espionage System' - Dark Reading

CYBERSECURITY OPERATIONS THREAT INTELLIGENCE IDENTITY & ACCESS MANAGEMENT SECURITY ENDPOINT SECURITY NEWS CISA, FBI, NSA Warn of Chinese 'Global Espionage System' Three federal agencies were parties to a global security advisory this week warning about the extensive threat posed by Chinese nation-state actors targeting network devices. Alexander Culafi,Senior News Writer,Dark Reading August 28, 2025 4 Min Read SOURCE: PANTHER MEDIA GLOBAL VIA ALAMY STOCK PHOTO Government agencies from around the world, including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA), shared a new advisory Wednesday warning of China's "global espionage system." The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The document was cosigned by nations including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though they say it partially overlaps with Salt Typhoon. Salt Typhoon is best known for its infamous attacks against global telco infrastructure, including one in the US discovered last year, but China-backed threat actors have run rampant in recent years, targeting organizations with both espionage and pre-positioning for possible future attacks. Related:Why Stryker's Outage Is a Disaster Recovery Wake-Up Call CISA's joint advisory dives into the technical nitty-gritty of how these attacks go down, including some previously unknown insights into People's Republic of China (PRC) cyber operations. How Salt Typhoon (and Its Ilk) Target Networks According to the advisory, these PRC-linked threat actors are targeting networks in the telecommunications, government, transportation, lodging, and defense sectors, often focusing on compromising large backbone routers, provider and customer edge routers, compromised devices, and trusted connections to move into other networks. Moreover, "these actors often modify routers to maintain persistent, long-term access to networks." Tracking activity back to 2021, the agencies said the threat actors have had "considerable success" exploiting publicly known vulnerabilities, but no zero-day exploitation observed to date. Such notable flaws include Ivanti Connect Secure and Ivanti Policy Secure Web-component command injection vulnerability CVE-2024-21887; Palo Alto Networks PAN-OS GlobalProtect OS command injection flaw CVE-2024-3400; and Cisco IOS XE vulnerabilities CVE-2023-20273, CVE-2023-20198, and CVE-2018-0171. Mitigations for all these flaws are available, and defenders are urged to prioritize them due to threat actors' frequent targeting. Despite the APT focus on routers and similar technologies, the advisory noted that "authoring agencies suspect that the APT actors may target other devices (e.g., Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc.)." Related:White House Cyber Strategy Prioritizes Offense To maintain persistence, the APTs use multiple tactics including modifying Access Control Lists (ACLs) to add IP addresses, opening standard and non-standard ports, enabling SSH servers, opening external-facing ports on network devices, creating tunnels over protocols, enumerating and altering the configuration of other devices on the network, and more. The list of tactics used to facilitate lateral movement is similarly exhaustive, including everything from capturing network traffic containing credentials via compromised routers to brute-forcing weak credentials. "Following initial access, the APT actors target protocols and infrastructure involved in authentication — such as Terminal Access Controller Access Control System Plus (TACACS+) — to facilitate lateral movement across network devices, often through SNMP enumeration and SSH," the advisory read. "From these devices, the APT actors passively collect packet capture (PCAP) from specific ISP customer networks." Mitigating a Typhoon To address these threats, authoring agencies made a wide range of recommendations. They are extensive because, as the advisory put it, "the malicious activity described in this advisory often involves persistent, long-term access to networks where the APT actors maintain several methods of access." Related:Software Development Practices Help Enterprises Tackle Real-Life Risks To protect against these APTs, defenders should monitor for network device configuration changes, monitor virtualized containers for signs of tampering (and that all such containers are authorized), audit network services and tunnels, hunt for actor-favored protocol patterns, check logs, and monitor firmware and software for integrity. The advisory also contains indicators of compromise. Trey Ford, chief strategy and trust officer at Bugcrowd, says that with this advisory, agencies like CISA are trying to burn China's efforts "in a very public way, driving up the cost and operational overhead of any targeted operations in motion." Frankie Sclafani, director of cybersecurity enablement at managed detection and response (MDR) vendor Deepwatch, says CISA's advisory is urgent because it highlights the recent "critical shift" from Chinese state-sponsored activity from being purely espionage to something more invasive. "Instead of just spying, groups like Salt Typhoon are now burrowing deep into critical infrastructure networks worldwide. This isn't just about stealing data; it's about gaining long-term access for potential disruption," Sclafani tells Dark Reading. "Given CISA's unique position and partnerships across government agencies, they have broad insight into these global threats. With Chinese APT activity at a high level of sophistication, the advisory serves as a crucial wake-up call for organizations to hunt and implement recommended mitigations immediately to protect their systems." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERSECURITY OPERATIONS Women Who 'Hacked the Status Quo' Aim to Inspire Security Careers by Elizabeth Montalbano, Contributing Writer JUL 16, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERSECURITY OPERATIONS As CISA Downsizes, Where Can Enterprises Get Support? by Alexander Culafi, Senior News Writer, Dark Reading APR 01, 2025 CYBERSECURITY OPERATIONS Bridging the Gap Between the CISO & the Board of Directors by Michael Fanning MAR 31, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE