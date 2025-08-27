A new joint cybersecurity advisory (CSA) released on Wednesday by over a dozen international law enforcement organizations exposes the inner workings of Beijing-backed threat groups, with Salt Typhoon topping the list.

The CSA, titled “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System”, aims to provide organizations with the specific tactics, techniques, and procedures (TTPs) used by the nation-state threat groups and proactive steps they can take to harden systems.

“These recommendations are especially important for network defenders of telecommunications and critical infrastructure organizations to discover unknown intrusions and prevent undetected malicious activity on their network,” the CSA states.

The broad international coalition behind the advisory is comprised of multiple cybersecurity and intelligence agencies, including the US, Australia, Britain, Canada, and New Zealand, all members of the "Five Eyes" intelligence alliance.

Joint international cybersecurity advisory released on August 27th, 2025. “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System.” Image by US National Security Agency/Central Security Service.

Other nations signing off on the CSA include Germany, Italy, the Netherlands, Japan, the Czech Republic, Finland, Spain, and Poland.

The advisory identifies an array of advanced persistent threat (APT) actors sponsored by the Chinese government, many with overlapping targets of interest, attack pathways, and other TTPs used for “initial exploitation, persistence, lateral movement, collection, and exfiltration.”

The five threat groups singled out in the advisory – Salt Typhoon. OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor – are said to be the most notable (and active) groups tracked by the cybersecurity intel community, which often use their own naming conventions to label the same APTs.

The threat actors are said to have found “considerable success” repeatedly exploiting publicly known common vulnerabilities and exposures (CVEs) as well as other avoidable system weaknesses.

The APTs have been observed targeting various networks worldwide with a penchant for going after telecommunications, government, transportation, lodging, and military infrastructure networks, the CSA said.

“While these actors focus on large backbone routers of major telecommunications providers, and provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks,” it said

The CSA also noted that the Chinese nation-state threat actors often modify routers to maintain persistent and long-term access to networks.

Three Chinese companies named

“When threat hunting, the authoring agencies advise that organizations gain a full understanding of the APT actors’ accesses before implementing visible incident response and mitigation actions to maximize the chance of achieving full eviction from compromised networks,“ the advisory states.

Additionally, the 37-page report explicitly calls out three Chinese companies over the alleged hacking activity tied to the APTs .

Sichuan Juxinhe Network Technology

Beijing Huanyu Tianqiong Information Technology

Sichuan Zhixin Ruijie Network Technology

The firms are accused of providing "cyber-related products and services to China's intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security."

Sichuan Juxinhe was sanctioned by the US Treasury in January for a direct connection with Salt Typhoon and its espionage campaign against nine US telecoms in the lead-up to the 2024 US presidential elections.

Besides US firms AT&T, Lumen Technologies, T-Mobile, Verizon, and Viasat, in 2024, Salt Typhoon was also blamed for hacking the US Treasury, the US National Guard, and even tapping into the email accounts of Trump campaign staffers.

In the alleged year-long US Treasury hack, the Chinese hackers gained unauthorized access to the laptops of senior White House officials, and subsequently, the email accounts of about 100 bank regulators.

Since then, more than a dozen Chinese nationals have been indicted by the US Department of Justice in connection with the telecom attacks, as well as individual and corporate sanctions imposed by the Treasury’s Office of Foreign Assets Control (OFAC).

The other two firms, Beijing Huanyu Tianqiong and Sichuan Zhixin Ruijie, were both allegedly hit by recent and so far unexplained data leaks, according to Reuters.

Beijing regularly denies its involvement in cyber-espionage activity.

The US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3) were all involved in the effort.