Catch up fast. Accordig to the advisory, the PRC’s targets are major telecommunications operators and enterprise networks; compromised devices and trusted connections are exploited to pivot into other environments.
- Tactics: router modifications enabling long-term persistence.
- Aliases: activity overlaps with clusters known as Salt Typhoon, Operator Panda, RedMike, UNC5807, GhostEmperor.
- Scope: incidents identified in the US, Australia, Canada, New Zealand, the UK, and beyond.
Why it matters. This is systemic cyber espionage, not isolated incidents: it enables mapping of communications and movements of governments and corporations worldwide.
Agencies involved. The involvement of so many agencies reflects a heightened perception of systemic risk.
- The advisory was issued jointly by a broad coalition of security and intelligence bodies, including the US NSA, CISA, FBI and DoD Cyber Crime Center; the Australian Signals Directorate’s Cyber Security Centre; the Canadian Cyber Centre and CSIS; New Zealand’s National Cyber Security Centre; the UK’s National Cyber Security Centre; as well as European partners such as Germany’s BND, BfV and BSI, the Czech NÚKIB, Finland’s SUPO, Spain’s CNI, the Netherlands’ MIVD and AIVD, Poland’s SKW and AW, and Italy’s AISE and AISI. Japan contributed through its National Cyber Office and National Police Agency.
Italy’s angle. The presence of AISE and AISI in the document — an outcome of political will from Palazzo Chigi and the Foreign Ministry — is highly significant:
- Vis-à-vis Beijing, following the Meloni government’s decision not to renew the MoU on the Belt and Road Initiative – even as Rome seeks to avoid projecting an overly burdensome line with China.
- And in terms of Rome’s international cyber posture, at a time when the domain is increasingly central to national security and to the collective security of the EU, the US, and the broader transatlantic bloc.
Geopolitics between the lines. Beneath the technical detail lies a clear geopolitical message: the US, European allies, and Asian partners unambiguously state that Beijing is using cyber capabilities not only for defence but also to conduct an aggressive global intelligence-gathering campaign.
- The warning aligns with rising tensions between the West and China, from trade to technological supply chains and Pacific routes.
- From the advisory: “The authoring agencies strongly urge network defenders to hunt for malicious activity and to apply the mitigations in this CSA to reduce the threat of Chinese state-sponsored and other malicious cyber activity.”
- The advisory calls on corporations and public entities to tighten controls, update systems, and monitor IOCs such as suspicious IPs and router anomalies.
Zoom in: APT playbook
- Router-first: targeting backbone, PE/CE of major providers.
- Lateral movement: exploiting trusted connections to infiltrate additional networks.
- Persistence: Device modifications will remain undetected over the long term.
- Intelligence objective: harvesting ISP, hospitality, and transportation data to identify and track targets.
What to do now: Mitigations.
- Proactive threat hunting across network infrastructure.
- Hardening and patching routers (configurations, firmware, credentials, out-of-band management).
- IOC monitoring: anomalous IPs/domains, configuration changes, unusual logins, atypical lateral traffic.
- Segmentation and the least-privilege principle for operational and telco environments.
- Eviction plans and review of inter-operator trusted connections.
The big picture. Operations have been active since at least 2021, attributed to Chinese entities providing cyber products and services to the PLA and MSS. The long-term campaign has strategic intelligence objectives rather than immediate destructive effects.
What we’re watching:
- New technical indicators and mitigation updates.
- International cooperation (further joint advisories).
- The industry response: vendor patch cycles, router audits, and reviews of inter-operator links.
