Cybersecurity organizations FBI and CISA issue alert about potential Chinese government-backed cyber attacks targeting the telecommunications sector
In recent months, a series of cyber threats have been targeting network devices, with state-sponsored actors exploiting vulnerabilities in Pulse Secure devices, Citrix products, and other network devices from providers like Cisco, Fortinet, Netgear, and MikroTik.
These threats have been particularly concerning for the defense industry, where previously, vulnerabilities in Pulse Secure devices have been used for targeted attacks. The National Guard experienced nine months of unnoticed network access, indicating that state-sponsored actors like Salt Typhoon could potentially exploit such vulnerabilities for cascading compromises across state cybersecurity agencies and fusion centers.
The servers compromised by these threats provide the threat actors with access to operational email accounts and the ability to host Command and Control (C2) domains. With the obtained credentials, the threat actors can reroute traffic to infrastructure they command.
The threat actors are using open-source tools like RouterSploit and RouterScan for reconnaissance and vulnerability scanning. By doing so, they can avoid using their own distinctive or identifying malware before targeted organizations update their systems. This strategy allows them to remain undetected for extended periods.
The attacks have been focused on small office/home office (SOHO) routers and network attached storage (NAS) devices. By exploiting Common Vulnerabilities and Exposures (CVEs), threat actors can exploit code against virtual private networks or public facing applications.
Just last month, researchers warned of vulnerabilities in network devices, and in August 2025, Citrix disclosed three new vulnerabilities in its NetScaler ADC and NetScaler Gateway products. Microsoft also actively patched critical vulnerabilities, including a SharePoint zero-day (CVE-2025-53770) that had been exploited since early July, affecting numerous organizations.
State-sponsored threat actors backed by the People's Republic of China have been conducting widespread cyber campaigns since 2020. For instance, Cyclops Blink, a Russia-linked botnet, used ASUS routers and WatchGuard firewall appliances to launch attacks. The DOJ announced an operation in April to disrupt the botnet.
Moreover, threat actors have been accessing compromised servers from various China-based internet protocol addresses that point to different Chinese internet service providers (ISPs).
To mitigate these threats, federal authorities advise organizations to keep products updated and patched, disable unused ports, disconnect devices that may be compromised, and apply multifactor authentication. By following these guidelines, organizations can significantly reduce their risk of falling victim to these cyber threats.
