Malicious cyber actors associated with China continue to exploit security vulnerabilities to infiltrate information technology systems used by critical infrastructure operators in the U.S. and by its allies, a new warning from security agencies in multiple countries says. 

The advisory, published Aug. 27 on the website of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), is based on investigations conducted in multiple countries through July 2025, along with findings from industry. It was co-signed by CISA, the National Security Agency, the FBI and the Department of Defense’s Cyber Crime Center, along with counterparts in Australia, Canada, New Zealand, the United Kingdom, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain. 

According to the advisory, advanced persistent threat (APT) actors have pursued malicious cyber operations “linked to multiple China-based entities” against global targets, mainly in the telecommunications sector, since at least 2021. The agencies noted that the cybersecurity community has associated several groups with this activity, some of which may be different names for the same actors. Among these are Salt Typhoon, Operator Panda, RedMike, UNC5807 and GhostEmperor. 

The APT actors have “considerable success” using publicly known common vulnerabilities and exposures (CVEs). Agencies recommended that defenders prioritize CVEs involving devices from Ivanti, Palo Alto Networks and Cisco because they are known to have been exploited in the past; however, they noted that software from other providers, such as Microsoft, Fortinet and Nokia, also may be targeted. 

Even devices of people outside the threat actors’ sectors of interest may be targeted if the actors believe they can provide pathways to attack primary targets, the advisory said. Attackers can “leverage compromised devices and trusted connections or private interconnections (e.g. provider-to-provider or provider-to-customer links) to pivot into other networks.” 

APT actors then maintain access to target networks via several different techniques: 

• • Modifying access control lists to add IP addresses, thus bypassing security policies by establishing threat actor-controlled addresses as trustworthy. 
  • Opening standard and non-standard ports to expose different services, which “supplies multiple avenues for remote access and data exfiltration.” 
  • Enumerating and altering configurations for other devices in the same group, when possible. 
  • Creating tunnels between network devices to allow covert data transmission that blends in with normal network traffic. 
  • Setting up containers on compromised devices “to stage tools, process data locally and move laterally within the environment” while staying undetected because activity “within the container [is] not monitored closely.” 

The agencies encouraged cybersecurity staff at critical infrastructure organizations to carry out threat hunting activities to search for malicious activity and, if discovered, report to relevant agencies and regulators. Because the threat actors try to maintain persistent, long-term presence in target networks through several means of access, defenders “should exercise caution when sequencing defensive measures to maximize the chance of achieving full eviction.” 

Organizations also should keep in mind that APT actors often monitor compromised mail servers and network administrator accounts to see if their activity has been detected and try to keep information about their threat hunting secure from compromise, the advisory said. 

Other recommendations include regularly reviewing network device logs and configurations for evidence of unusual activity, disabling outbound connections from management interfaces to reduce lateral movement between network devices, disabling all unused ports and protocols and changing all default administrative credentials. 

“CISA and our partners are committed to equipping critical infrastructure owners and operators with the intelligence and tools they need to defend against sophisticated cyber threats,” CISA Acting Director Madhu Gottumukkala said in a statement. “By exposing the tactics used by [Chinese] state-sponsored actors and providing actionable guidance, we are helping organizations strengthen their defenses and protect the systems that underpin our national and economic security.”