Chinese state-sponsored hackers are carrying out a sustained global cyber campaign against critical infrastructure, U.S. and international authorities warned today in a joint security advisory.
The advisory, released by the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the FBI, NSA, and international allies, details ongoing activity from multiple advanced persistent threat (APT) groups backed by the People’s Republic of China (PRC). It builds on earlier intelligence reports, incorporating findings through July 2025.
Investigators say the campaign involves overlapping operations from several known PRC-linked groups, including Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. The activity highlights a deliberate and coordinated effort to secure long-term access to networks in critical sectors, most notably telecommunications, transportation, lodging, and defense-related industries.
“CISA and our partners are committed to equipping critical infrastructure owners and operators with the intelligence and tools they need to defend against sophisticated cyber threats,” said Madhu Gottumukkala, acting director of CISA. “By exposing the tactics used by PRC state-sponsored actors and providing actionable guidance, we are helping organizations strengthen their defenses and protect the systems that underpin our national and economic security.”
According to the advisory, attackers are exploiting widely known vulnerabilities in routers and other edge devices relied on by infrastructure providers. Once inside, the threat actors deploy covert tunneling protocols and alter router configurations to maintain persistence and avoid detection. Officials say the activity often continues undiscovered for extended periods, with evidence showing unauthorized modifications to access control lists, management protocols, and virtual containers within network devices.
The report warns that this approach allows PRC-backed actors to sustain covert access while exfiltrating sensitive data critical to both economic and national security. By operating at the network edge, the groups can blend in with normal traffic flows and evade traditional security monitoring.
To help organizations defend against these tactics, the advisory sets out a series of urgent mitigation steps. Key recommendations include rapidly patching known exploited vulnerabilities, enabling centralized logging, and reinforcing security around edge devices commonly targeted by adversaries.
Security teams are also urged to regularly review router logs and configurations for indicators of compromise, such as unfamiliar tunneling protocols, unauthorized external IP addresses, or unusual virtual containers. Additional defensive measures include disabling unused ports and protocols, enforcing strong public-key authentication for administrator accounts, and isolating management planes to limit exposure.
Finally, officials stress the importance of lifecycle management for critical infrastructure systems. Agencies recommend that operators run only supported operating systems, apply vendor-issued firmware updates, and retire outdated software to eliminate opportunities for exploitation.
The advisory underscores what cybersecurity authorities describe as a long-running and deliberate campaign by PRC-backed groups to undermine essential infrastructure worldwide. Officials warn the threat is ongoing, and organizations across both public and private sectors must harden defenses now to prevent compromise.
