A group of global intelligence agencies is warning telecom providers and other sectors about routers hacked by China.
A global partnership of intelligence agencies is warning about hacked routers that are being actively targeted by hackers supported by the Chinese government. The cyber attacks aim to gain long-term access to systems through backbone routers, central systems, and consumer routers, targeting sectors including telecommunications and defense. The intelligence agencies recommend addressing certain vulnerabilities as quickly as possible.
Hacked Routers
According to America’s Cyber Defense Agency, cyber threat actors linked to China are targeting networks worldwide in sectors such as telecommunications, transportation, government, and defense. These actors reportedly focus on large backbone routers, provider edge routers, and customer-facing network infrastructure. The attacks occur through modifications to network equipment and abuse of trusted connections, with the goal of establishing long-term, difficult-to-detect access to internal systems.
According to the security industry, the actors involved operate under various names, including Salt Typhoon, OPERATOR PANDA, RedMike, and GhostEmperor. In the report, governments use the umbrella term ‘Advanced Persistent Threats’ (APT). The activity has been observed in countries including the United States, Canada, the United Kingdom, Australia, New Zealand, and also in European countries such as Germany, Finland, and the Netherlands.
International Warning
Research shows that the APT actors primarily exploit publicly known vulnerabilities and other avoidable weaknesses in network infrastructure. So far, no exploitation of zero-day vulnerabilities has been identified, but the threat actors continuously adapt their tactics and expand their use of existing vulnerabilities. They target devices such as Fortinet, Juniper, and SonicWall firewalls, Nokia routers and switches, Microsoft Exchange servers, and Sierra Wireless devices.
The actors utilize infrastructures such as virtual private servers and compromised intermediate routers to gain access to networks of telecom providers and others. They exploit vulnerabilities such as CVE-2024-21887 and CVE-2023-46805 (Ivanti Connect Secure), CVE-2024-3400 (Palo Alto Networks PAN-OS GlobalProtect), CVE-2023-20198 and CVE-2023-20273 (Cisco IOS XE), and CVE-2018-0171 (Cisco IOS).
In some cases, they employ techniques such as double encoding of requests, traffic mirroring, or tunneling via GRE/IPsec to redirect or observe traffic. Edge devices of organizations that are not the primary target are also used as stepping stones to other networks via trusted connections between providers.
The intelligence agencies urge organizations to proactively detect suspicious activity and report compromises to the appropriate authorities.