CISA Alert AA25-239A: Analysis, Simulation, and Mitigation of Chinese APTs

On August 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA, FBI, and over a dozen international partners [1], released a joint advisory on Chinese state-sponsored Advanced Persistent Threat (APT) actors, also tracked in the cybersecurity community as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. These actors have been compromising networks worldwide since at least 2021, with a focus on telecommunications, government, transportation, lodging, and military infrastructure.

Their campaigns center on abusing network edge devices, particularly backbone and customer routers, to gain persistent access, pivot into trusted networks, and collect sensitive communications. Unlike opportunistic ransomware operations, these intrusions are long-term espionage campaigns, enabling Chinese intelligence services to track global communications and movements.

In this blog post, we break down the tactics, techniques, and procedures (TTPs) used by these Chinese state-sponsored actors, including exploitation of widely known CVEs, persistence via modified ACLs and SSH abuse, lateral movement through TACACS+/SNMP manipulation, and exfiltration using GRE/IPsec tunnels, and provide guidance on how organizations can defend against these activities.

> Simulate Advanced Persistent Threats (APTs) with a 14-Day Free Trial of the Picus Platform

Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, GhostEmperor: The Agenda Explained

Chinese state-sponsored APT actors, tracked in the cybersecurity industry as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, have been conducting malicious operations globally since at least 2021. These operations are not isolated activities but part of a broader state-backed cyber espionage ecosystem that blends government priorities with the capabilities of private Chinese technology companies.

The advisory attributes this activity to entities including 

• Sichuan Juxinhe Network Technology Co. Ltd. (四川聚信和网络科技有限公司), 
• Beijing Huanyu Tianqiong Information Technology Co., Ltd. (北京寰宇天穹信息技术有限公司), and 
• Sichuan Zhixin Ruijie Network Technology Co., Ltd. (四川智信锐捷网络科技有限公司). 

These firms provide network technologies and offensive cyber capabilities directly to China’s intelligence apparatus, particularly units of the People’s Liberation Army (PLA) and the Ministry of State Security (MSS).

The strategic objective behind these operations is clear.

Access to these environments not only enables surveillance but also provides a foundation for follow-on operations, such as credential theft, covert routing changes, and long-term persistence within critical infrastructure.

This pattern underscores how the PRC leverages a “civil-military fusion” model, where commercial technology vendors act as enablers of state espionage. It also highlights why the actors focus so heavily on network edge devices: routers and gateways that often lack monitoring, yet serve as ideal footholds to pivot deeper into both government and private-sector networks.

Initial Access

Investigations show that Chinese state-sponsored APT actors, including Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, are achieving consistent success by exploiting widely known vulnerabilities, rather than relying on zero-day exploits. 

To date, there is no evidence of novel zero-days being deployed. Instead, these actors are capitalizing on unpatched, internet-facing devices and predictable weaknesses in network infrastructure to establish footholds.

The advisory highlights several high-priority CVEs that defenders should prioritize patching, given their frequent exploitation by these groups:

• CVE-2024-21887 – Ivanti Connect Secure and Ivanti Policy Secure command injection, often chained with CVE-2023-46805 (authentication bypass).
• CVE-2024-3400 – Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to unauthenticated remote code execution.
• CVE-2023-20273 – Cisco IOS XE web management interface command injection and privilege escalation, commonly chained with CVE-2023-20198.
• CVE-2023-20198 – Cisco IOS XE authentication bypass, abused to create unauthorized administrative accounts. Actors have been observed using “double encoding” tricks (e.g., /%2577eb%2575i_%2577sma_Http) to slip past detection.
• CVE-2018-0171 – Cisco IOS/IOS XE Smart Install remote code execution, an older flaw that continues to be abused in the wild.

Beyond exploiting vulnerabilities, the actors leverage virtual private servers (VPSs) and compromised routers as launch pads to blend into legitimate traffic and hide attribution. They don’t limit themselves to core targets either; compromised devices belonging to organizations outside their strategic focus are still valuable as stepping stones into high-value networks.

Once inside, the actors have been observed modifying routing tables, enabling traffic mirroring (SPAN, RSPAN, ERSPAN), and configuring GRE/IPsec tunnels to quietly siphon data and maintain persistence. By chaining together large numbers of internet-exposed devices, they can build out resilient access pathways and return to previously compromised systems for follow-on operations.

Despite years of observation, initial access vectors remain a major intelligence gap. 

The breadth of affected vendors, from Cisco and Palo Alto to Ivanti and potentially Fortinet, Juniper, Microsoft Exchange, and others, highlights how exposed infrastructure remains an attractive, scalable target set for PRC espionage operations.

Persistence

To maintain long-term access inside compromised networks, Chinese state-sponsored actors employ multiple persistence techniques. Many of these methods also serve to hide their presence, making their actions appear as if they originate from local devices in logs. Below is a breakdown of the tactics observed and mapped to MITRE ATT&CK.

T1562.004 – Modifying Access Control Lists (ACLs)

One of the most common persistence techniques involves altering Access Control Lists (ACLs) on routers. By adding their own IP addresses, the actors bypass security policies and ensure uninterrupted access. 

Typically, they create ACLs named “access-list 20”, and if that is already in use, they fall back to “10” or “50.” This allows malicious traffic from actor-controlled infrastructure to be explicitly permitted on the device.

T1071 / T1571 – Opening Standard and Non-Standard Ports

To expand their options for remote access, the actors enable a wide range of standard services such as SSH, SFTP, RDP, FTP, HTTP, and HTTPS. 

In many cases, these services are exposed on non-standard high ports, making them less likely to trigger monitoring rules tuned to default port numbers. This approach ensures redundancy: if one service is discovered or blocked, others remain available for command and control.

T1021.004 / T1098.004 – SSH Backdoors and Authorized Keys

The adversaries frequently enable SSH servers on compromised routers, configuring them to listen on non-default ports (e.g., 22x22 or xxx22). 

In addition, they install SSH keys into existing services, providing a reliable way to re-enter the environment even if passwords are rotated. This combination of port manipulation and key insertion makes SSH one of their most persistent footholds.

T1059.008 – Command and Scripting via Router CLI

Once devices are compromised, actors use the built-in command-line interface (CLI) to execute instructions. Observed activity includes:

• Running commands over SNMP (T1569)
• Issuing SSH logins from remote and local IPs
• Sending POST requests via the web interface
• Abusing service or automation credentials (such as those used by RANCID) to pivot to other devices
• Executing Tcl scripts (TCLproxy.tcl, map.tcl) where tclsh was available on Cisco IOS

This direct use of the CLI allows them to make rapid configuration changes while blending into routine administrative activity.

T1021 / T1016 – Abusing SNMP for Persistence

SNMP functionality is a recurring persistence vector. Actors enumerate and modify device configurations across community groups, using tools like SNMPwalk to collect information. 

In cases where devices allow it, they issue SNMP SET requests from attacker-controlled hosts to alter writable objects, effectively granting themselves ongoing access.

T1572 – Persistent GRE/IPsec Tunnels

The actors also establish persistent tunnels using GRE, multipoint GRE (mGRE), or IPsec. These tunnels enable the encapsulation of multiple network protocols, creating covert communication channels that resemble legitimate inter-network routing. 

In effect, they allow espionage traffic to blend seamlessly with expected operations, making detection extremely challenging.

T1610 / T1543.005 – Guest Shell Abuse on Cisco Devices

A particularly advanced persistence technique involves deploying malicious activity within Guest Shell containers available on Cisco IOS XE and NX-OS. Inside this Linux-based environment, the actors have been observed running Python scripts (such as siet.py for exploiting Cisco Smart Install), installing additional packages with pip or yum, and staging local artifacts like configs and PCAPs.

On NX-OS, they can also use the dohost utility to script host-level commands, while on IOS XE, Guest Shell runs under IOx and provides access to device storage. Because activity inside Guest Shell is not closely monitored by default, this method offers a stealthy, long-term foothold.

Interestingly, the same actors also execute guestshell disable and guestshell destroy commands when needed, removing traces of their activity and returning system resources to hide persistence (T1070.009).

Lateral Movement & Collection

Once inside a target environment, Chinese state-sponsored actors shift their focus toward authentication protocols and routing infrastructure to spread laterally across devices and begin large-scale data collection. Their operations rely on both native router features and configuration abuse, often blending malicious commands into legitimate administrative traffic.

T1040 / T1005 – Capturing Network Traffic and Credentials

The actors use compromised routers as vantage points to capture sensitive data, most notably RADIUS and TACACS+ authentication traffic. Leveraging native packet capture features such as Cisco’s Embedded Packet Capture (EPC), they store credential-rich traffic in files with predictable names like mycap.pcap, tac.pcap, or 1.pcap. Because TACACS+ packet bodies can be decrypted if the shared secret is known, the adversaries can recover administrator credentials and reuse them for lateral movement.

They also exploit the routers’ ability to mirror traffic through SPAN, RSPAN, or ERSPAN sessions, enabling surveillance at Layer 2 or Layer 3. This traffic often contains usernames, passwords, or metadata needed to extend access deeper into the network.

T1556 – Modifying Authentication Processes

In some cases, the actors directly modify TACACS+ server configurations on routers, redirecting authentication requests to APT-controlled infrastructure. This allows them to harvest credentials whenever administrators log in. They may also weaken or alter AAA configurations, forcing devices to fall back on less secure authentication methods or forwarding accounting information to their servers. This not only ensures ongoing credential capture but also provides additional monitoring of administrative activity.

T1602.001 / T1602.002 / T1590.004 – Collecting Configuration and Routing Data

Beyond traffic captures, the operators aggressively harvest router configurations, BGP routes, RSVP sessions, MIB dumps, and MPLS information. These are obtained either from existing provider scripts or by direct survey of devices using protocols like TFTP. Configurations expose stored credentials, network topologies, and vendor inventories, all of which are used to map out the environment and prepare for further operations.

T1136.001 / T1110.002 / T1003 – Account Creation and Credential Abuse

Persistence is often reinforced by creating new user accounts directly on routers and assigning them privileged roles. 

If configuration files contain weakly stored passwords, such as Cisco Type 5 (MD5 hashes) or legacy Type 7 encodings, the actors brute force or decrypt them offline. Common weak defaults like cisco/cisco are routinely exploited. Once recovered, these credentials are reused to log into additional routers, effectively widening the compromise with minimal effort.

T1595 / T1082 – Reconnaissance via Port and Service Scanning

After initial access, scanning is conducted to identify open services and sensitive interfaces. Traffic mirroring sessions are often created to observe multiple interfaces simultaneously. The actors also run privileged router commands via SNMP, SSH, and HTTP GET/POST requests. These commands target execution paths such as /level/15/exec/-/*, giving access to configuration files, VRF management, BGP routes, and, in some cases, the ability to clear logs.

T1070 / T1610 – Covering Tracks and Using Guest Shell

The operators demonstrate deliberate efforts to evade detection. Techniques include clearing local logs, disabling log forwarding, or toggling event logging on and off during malicious activity. On Cisco IOS XE and NX-OS platforms, they sometimes launch malicious activity inside Guest Shell containers, using them to stage PCAPs, parse artifacts, or run custom tooling. 

Because Guest Shell activity is not captured in standard syslog, this provides a stealthy way to persist and collect without raising alarms.

Exfiltration

Once embedded within service provider and infrastructure networks, Chinese state-sponsored actors employ techniques designed to move stolen data out of the environment while blending seamlessly into legitimate traffic flows. 

Their focus is on abusing the natural trust relationships between networks and leveraging tunneling protocols that are common in carrier-grade infrastructure.

How Picus Helps Defend Against China-based State-Sponsored Attack Campaigns on Critical Infrastructures?

We strongly recommend simulating Chinese state-sponsored APT attacks to evaluate the effectiveness of your security controls against real-world cyber threats using the Picus Security Validation Platform. 

You can also validate your defenses against hundreds of other threat actors and ransomware variants, including Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, within minutes by starting a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for these China-based state-sponsored actors.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, and other APT attack campaigns in preventive security controls. 

Currently, Picus Labs has validated the following signatures for China-based state-sponsored cyberattacks:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Security Validation Platform.

References

[1] "Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a