216.73.217.22

Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System

· Published 28/08/2025 15:03 · Modified 28/08/2025 15:31

Export JSON

Essential information

Published
28/08/2025 15:03
Modified
28/08/2025 15:31
Tags
2025-08-28 apt edge devices salt typhoon
Related entities
6 vulnerabilities (cve), 92 observables, 1 intrusion sets (apt), 31 techniques (mitre), 8 others

Description

The CISA Cybersecurity Advisory AA25-239A, issued jointly by U.S. and international cybersecurity and intelligence agencies, highlights a global cyber espionage campaign conducted by Chinese state-sponsored threat actors. These Advanced Persistent Threat () groups have been targeting network infrastructure across sectors such as telecommunications, government, military, and transportation by exploiting known vulnerabilities in edge and backbone routers. Their tactics include modifying router firmware for persistent access, leveraging trusted connections to move laterally within networks, and employing stealth techniques to evade detection. The advisory identifies overlaps with groups like and GhostEmperor, and provides detailed tactics, techniques, and procedures (TTPs) to support detection and mitigation efforts. It urges organizations to proactively hunt for malicious activity and implement recommended security measures to defend against these sophisticated, long-term threats.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (6)

CVE-2018-0171 KEV
9.8 Critical

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …

Attack vector
NETWORK
Published
03/11/2021
Modified
14/01/2026
CVE-2024-21887 KEV
9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector
Network
Published
10/01/2024
Modified
27/05/2026
CVE-2023-46805 KEV
8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector
Network
Published
10/01/2024
Modified
27/05/2026
CVE-2023-20273 KEV
7.2 High

Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …

Attack vector
Network
Published
23/10/2023
Modified
21/12/2025
CVE-2023-20198 KEV
10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector
Network
Published
16/10/2023
Modified
21/12/2025
CVE-2024-3400 KEV
10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector
Network
Published
12/04/2024
Modified
21/12/2025

Observables (92)

  • 91.245.253.99
  • 91.231.186.227
  • 89.41.26.142
  • 89.117.2.39
  • 74.48.84.119
  • 85.195.89.94
  • 74.48.78.66
  • 74.48.78.116
  • 63.245.1.34
  • 63.245.1.13
  • 63.141.234.109
  • 61.19.148.66
  • 45.61.165.157
  • 45.61.159.25
  • 45.61.154.130
  • 45.61.151.12
  • 45.61.149.62
  • 45.61.149.200
  • 45.61.134.223
  • 45.61.133.61
  • 45.61.133.31
  • 45.61.133.157
  • 45.61.132.125
  • 45.59.118.136
  • 45.146.120.213
  • 45.146.120.210
  • 45.125.67.226
  • 45.125.64.195
  • 38.71.99.145
  • 37.120.239.52
  • 212.236.17.237
  • 193.43.104.185
  • 193.239.86.146
  • 193.239.86.132
  • 172.86.80.15
  • 172.86.70.73
  • 172.86.65.145
  • 172.86.124.235
  • 172.86.108.11
  • 172.86.106.15
  • 172.86.102.83
  • 172.86.101.123
  • 167.88.175.231
  • 167.88.175.175
  • 167.88.173.58
  • 167.88.173.252
  • 167.88.172.70
  • 167.88.164.166
  • 164.82.20.53
  • 146.70.79.81
  • 146.70.79.68
  • 144.172.79.4
  • 144.172.76.213
  • 142.171.227.16
  • 14.143.247.202
  • 107.189.15.206
  • 104.194.154.222
  • 104.194.154.150
  • 104.194.153.181
  • 104.194.147.15
  • 104.194.129.137
  • 103.7.58.162
  • 103.253.40.199
  • 103.168.91.231
  • 1.222.84.29
  • 89.117.1.147
  • 45.61.134.134
  • 45.61.133.79
  • 45.61.133.77
  • 45.61.128.29
  • 45.59.120.171
  • 43.254.132.118
  • 23.227.202.253
  • 23.227.199.77
  • 23.227.196.22
  • 193.56.255.210
  • 172.86.106.39
  • 172.86.106.234
  • 167.88.173.158
  • 146.70.24.144
  • 104.194.150.26
  • 103.199.17.238
  • 59.148.233.250
  • 190.131.194.90
  • 45.125.67.144
  • 5.181.132.95
  • 5a62b764850d52e01eddf735a5768aae58408780
  • 4802edc8a5a14e7f60b2266439cc517c39f7402f
  • f2bbba1ea0f34b262f158ff31e00d39d89bbc471d04e8fca60a034cabe18e4f4
  • da692ea0b7f24e31696f8b4fe8a130dbbe3c7c15cea6bde24cccc1fb0a73ae9e
  • a1abc3d11c16ae83b9a7cf62ebe6d144dfc5e19b579a99bad062a9d31cf30bfe
  • 8b448f47e36909f3a921b4ff803cf3a61985d8a10f0fe594b405b92ed0fc21f1

Intrusion sets (APT) (1)

  • Salt Typhoon
    The MITRE Corporation Confidence 100

    [Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14

Techniques (MITRE) (31)

  • T1048
    Exfiltration Over Alternative Protocol
  • T1588
    Obtain Capabilities
  • T1583
    Acquire Infrastructure
  • T1136
    Create Account
  • T1572
    Protocol Tunneling
  • T1571
    Non-Standard Port
  • T1095
    Non-Application Layer Protocol
  • T1199
    Trusted Relationship
  • T1005
    Data from Local System
  • T1590
    Gather Victim Network Information
  • T1021
    Remote Services
  • T1016
    System Network Configuration Discovery
  • T1070
    Indicator Removal
  • T1564
    Hide Artifacts
  • T1082
    System Information Discovery
  • T1057
    Process Discovery
  • T1071
    Application Layer Protocol
  • T1595
    Active Scanning
  • T1543
    Create or Modify System Process
  • T1569
    System Services
  • T1098
    Account Manipulation
  • T1140
    Deobfuscate/Decode Files or Information
  • T1049
    System Network Connections Discovery
  • T1027
    Obfuscated Files or Information
  • T1553
    Subvert Trust Controls
  • T1584
    Compromise Infrastructure
  • T1562
    Impair Defenses
  • T1190
    Exploit Public-Facing Application
  • T1090
    Proxy
  • T1003
    OS Credential Dumping
  • T1059
    Command and Scripting Interpreter

Others (8)

  • New Zealand
  • Australia
  • Canada
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America
  • Government
  • 2a10:1fc0:7::f19c
  • 2001:41d0:700:65dc::f656

External references