Chinese hackers are hiding deep inside telecom networks to spy on entire populations

Published: 27 March 2026
Last updated: 30 March 2026
a phone with the china flag
Phone with China flag falling into a well. Image by Cybernews.

A covert campaign is targeting global telecommunications networks, with links to the China-affiliated threat actor Red Menshen. The activity has raised alarms over potential espionage, as the attackers appear capable of monitoring and possibly disrupting critical communications infrastructure.

Key takeaways:
  • Chinese hackers are hiding deep inside telecom networks to spy on entire populations.
  • The hackers use a nearly-undetectable backdoor called BPFDoor that sits dormant until activated by special signals.
  • Attackers can access sensitive data including subscriber information, communication patterns, and potentially monitor government communications.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The activity appears to be a strategic effort to embed persistent access deep within telecom systems. Attackers are reportedly placing “some of the stealthiest digital sleeper cells” seen in such environments, aimed at enabling high-level espionage.

ADVERTISEMENT

“This is not traditional espionage, it is pre-positioning inside the infrastructure that nations depend on,” said Christiaan Beek, vice president of cyber intelligence at Rapid7 – the company that provided a report on their investigation.

The campaign centers on BPFDoor, a Linux backdoor that operates at the kernel level using Berkeley Packet Filter (BPF) technology. Unlike conventional malware, it avoids opening ports or generating detectable traffic, remaining dormant until triggered by specially-crafted packets.

XZ Linux
An interpretation of the Linux logo. Image by Cybernews.

Researchers say this allows attackers to bypass traditional security monitoring and remain undetected for extended periods.

Recent incidents show China-linked actors infiltrating US internet service providers and breaching multiple telecom firms, including Viasat, as part of broader espionage campaigns tied to the Salt Typhoon cluster. The same group has also targeted a Canadian telecom provider, underlining the cross-border nature of these operations.

Curious what others think about this story? Contribute your thoughts to the debate below.

In Europe, a string of breaches has exposed millions of customer records at major operators, including large-scale incidents affecting Bouygues Telecom, Orange, Free Mobile, and Odido.

ADVERTISEMENT

However, these attacks are not just one-off intrusions – they aim to establish long-term, hidden access within telecom networks. In the meantime, the research shows that attackers are specifically targeting sensitive telecom data, including subscriber identifiers, signaling flows, and communication metadata.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The hidden layer of telecom espionage

Rapid7 describes the campaign as a structured, long-term operation rather than a series of isolated breaches. The attackers focus on embedding themselves deeply within telecom environments and maintaining access over extended periods, highlighting a broader shift in attacker strategy.

The campaign focuses on telecom backbone infrastructure. Rapid7 stresses that compromising these networks has far-reaching implications, noting that telecom systems “carry government communications” and underpin critical industries and digital identities worldwide.

Raj Samani, Rapid7’s chief scientist, warned that the level of access significantly raises the stakes.

“If you have access to telecommunications infrastructure, you are not just inside one company,” he said, adding that such positioning places attackers close to “the communication layer of entire populations.”

telecom mobile white and grey phones masts, blue sky, white clouds
Mobile phones masts are seen on top of a building. Anna Barclay/Getty

The attackers deploy a mix of kernel-level implants, passive backdoors, and credential-harvesting tools to create what researchers describe as a persistent access layer. As Rapid7 notes, these components are designed “not simply to breach networks, but to inhabit them.”

Once inside, attackers can gain visibility into sensitive telecom data, including subscriber identifiers, signaling flows, and communication metadata. In the most concerning scenarios, the researchers suggest, it could even support large-scale surveillance or long-term intelligence collection targeting high-value individuals and government entities.

ADVERTISEMENT

The findings add to a growing pattern of attacks targeting telecom providers across the US and Europe, where authorities have repeatedly warned of state-backed intrusions into critical infrastructure.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT