Chinese state-sponsored hackers are waging a global cyber campaign against critical infrastructure, U.S. and international authorities warned today.
In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, and international partners, detailed ongoing malicious activity by People’s Republic of China (PRC)–backed Advanced Persistent Threat (APT) actors.
The advisory, which incorporates updated threat intelligence through July 2025, builds on earlier reports and alerts, and highlights activity from overlapping Chinese threat groups – including Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor.
The latest advisory reveals and explains a deliberate and sustained effort by China-backed hackers to gain long-term access to networks tied to critical infrastructure sectors, particularly across telecommunications, transportation, lodging, and military networks.
“CISA and our partners are committed to equipping critical infrastructure owners and operators with the intelligence and tools they need to defend against sophisticated cyber threats,” Madhu Gottumukkala, acting director of CISA, said in a statement.
“By exposing the tactics used by PRC state-sponsored actors and providing actionable guidance, we are helping organizations strengthen their defenses and protect the systems that underpin our national and economic security,” he said.
Officials say the campaign specifically targets known vulnerabilities in routers and other edge devices used by infrastructure providers, allowing threat actors to maintain covert, long-term access.
According to the report, the threat actors are using covert tunneling protocols and altering router configurations to avoid detection while exfiltrating sensitive data – often over extended periods. Investigators uncovered evidence of persistent access gained through unauthorized modifications to access control lists, management protocols, and virtual containers running on network devices.
To counter these threats, the advisory outlines a series of urgent mitigation steps for infrastructure operators. Key recommendations include patching known exploited vulnerabilities, enabling centralized logging, and securing edge infrastructure – particularly routers and other network devices commonly targeted by threat actors.
The agencies also urge organizations to review router logs and configurations regularly for signs of suspicious activity, such as unexpected tunneling protocols, unauthorized external IP addresses in access lists, or unusual virtual containers. Additional guidance includes disabling unused ports and protocols, enforcing public-key authentication for administrative roles, and isolating management planes. The report also stresses the importance of running supported operating systems and keeping firmware updated to prevent exploitation of outdated software.