Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System

Chinese state-sponsored APT actors have targeted telecommunications, government, transportation, lodging, and military networks worldwide by exploiting publicly known CVEs, compromising edge routers and using compromised devices and trusted provider links to pivot, persist, and exfiltrate data. Reported activity includes use of custom Go-based SFTP clients, on-box PCAP collection, Guest Shell/container abuse, and tunneling (GRE/IPsec) to move and exfiltrate captured traffic. #SaltTyphoon #CVE-2023-20198

Keypoints

PRC state-sponsored APT actors have targeted large backbone, PE, and CE routers and leveraged compromised devices and provider-to-provider or provider-to-customer links to pivot across networks.
Actors frequently exploit known CVEs (e.g., CVE-2024-21887, CVE-2024-3400, CVE-2023-20273, CVE-2023-20198, CVE-2018-0171) for initial access rather than observed zero-days.
Persistence techniques include modifying ACLs, enabling services (SSH/HTTP/HTTPS) on non-standard ports, adding SSH keys, creating local accounts, and deploying Guest Shell containers to stage tools and data.
Collection methods emphasize native PCAP/Embedded Packet Capture, TACACS+/RADIUS interception, SNMP enumeration/SET, and configuration/credential harvesting (including weak Cisco Type 5/7 secrets).
Exfiltration and C2 commonly use VPS infrastructure, multi-hop proxies (e.g., STOWAWAY), GRE/IPsec tunnels, and custom SFTP clients (cmd1, cmd3, new2, sft) to move encrypted archives to staging hosts.
Detection and hunt recommendations include auditing router configs, monitoring for PCAP/monitor capture commands, tracking non-standard management ports (e.g., 22×22, 18xxx, TCP/57722), and validating firmware/image integrity.
Mitigations prioritize timely patching of known exploited CVEs, management-plane isolation (management VRF/CoPP), enforcing SNMPv3 and strong crypto, disabling unused services (Guest Shell, Smart Install), and centralized immutable logging.

MITRE Techniques

[T1190 ] Exploit Public-Facing Application – Exploited publicly known CVEs to gain access (“Exploit publicly known CVEs”).
[T1199 ] Trusted Relationship – Leverage trusted connections between providers to pivot between networks (“Leverage trusted connections between providers to pivot between networks”).
[T1583.003 ] Acquire Infrastructure: Virtual Private Servers – Use VPS as infrastructure for C2 and staging (“Leverage VPS as infrastructure”).
[T1584.008 ] Compromise Infrastructure: Network Devices – Compromise intermediate routers to support operations (“Compromise intermediate routers”).
[T1569 ] System Services – Execute commands via SNMP on network devices (“Executing commands via SNMP”).
[T1609 ] Container Administration Command – Use Guest Shell to load tools and as a jump point (“Use Guest Shell to load open-source tools and as a jump point for reconnaissance and follow-on actions in the environment”).
[T1059.006 ] Command and Scripting Interpreter: Python – Use Python scripts such as siet.py (“Use Python script siet.py”).
[T1059.008 ] Command and Scripting Interpreter: Network Device CLI – Use built-in CLI on network devices to execute native commands (“Use built-in CLI on network devices to execute native commands”).
[T1136.001 ] Create Account: Local Account – Create new local users on network devices for persistence (“Create new local users on network devices for persistence”).
[T1543.005 ] Container Service – Leverage Guest Shell Linux containers on Cisco OS (“Leverage Linux-based Guest Shell containers, natively supported in a variety of Cisco OS software”).
[T1098.004 ] Account Manipulation: SSH Authorized Keys – Add keys to SSH services to regain entry (“Regain entry into environments via SSH into network devices”).
[T1068 ] Exploitation for Privilege Escalation – Exploit CVE-2023-20273 for root privileges (“Exploit CVE-2023-20273 to gain root-level user privileges”).
[T1110.002 ] Brute Force: Password Cracking – Brute force weak hashed Cisco passwords and reuse credentials (“Brute force passwords with weak encryption in obtained configuration files”).
[T1027.010 ] Obfuscated Files or Information: Command Obfuscation – Obfuscate paths with double-encoding to bypass detection (“Obfuscate paths with “double encoding””).
[T1027 ] Obfuscated Files or Information – Obfuscate source IP addresses in logs so activity appears local (“Obfuscate source IP addresses in system logs, as actions may be recorded as originating from local IP addresses”).
[T1562.004 ] Impair Defenses: Disable or Modify System Firewall – Modify ACLs to add IPs and bypass policies (“Modify ACLs, adding IP addresses to bypass security policies and permit traffic from a threat actor-controlled IP address”).
[T1610 ] Deploy Container – Deploy Guest Shell container on network infrastructure to persist and evade monitoring (“Deploy virtual container (e.g., Guest Shell) on network infrastructure to persist and evade monitoring services”).
[T1070 ] Indicator Removal – Delete or clear logs to avoid detection (“Delete and/or clear logs”).
[T1070.009 ] Indicator Removal: Clear Persistence – Use guestshell destroy to remove container and traces (“Use Guest Shell destroy command to deactivate and uninstall Guest Shell container and return all resources to the system”).
[T1599 ] Network Boundary Bridging – Abuse peering connections for exfiltration and bridging networks (“Abuse peering connections”).
[T1040 ] Network Sniffing – Passively collect PCAP from networks, especially TACACS+ and RADIUS traffic (“Passively collect packet capture (PCAP) from networks for configurations and credentials”).
[T1556 ] Modify Authentication Process – Change TACACS+ server config to actor-controlled IPs to capture credentials (“Modify a router’s TACACS+ server configuration to point to an APT actor-controlled IP address to capture authentication attempts”).
[T1003 ] OS Credential Dumping – Collect router configurations containing weak Cisco Type 7 passwords (“Collect router configuration with weak Cisco Type 7 passwords”).
[T1082 ] System Information Discovery – Use network device CLI to gather system information (“Leverage CLI on network devices to gather system information”).
[T1016 ] System Network Configuration Discovery – Enumerate interfaces, VRFs, routing, and ACLs via CLI/SNMP (“Enumerate interfaces/VRFs/routing/ACLs and related network settings from the device CLI/SNMP”).
[T1021 ] Remote Services – Use SNMP to enumerate and alter other devices in the same community group (“Enumerate and alter the SNMP configurations for other devices in the same community group”).
[T1021.004 ] Remote Services: SSH – Enable SSH and open external-facing ports on network devices (“Enable SSH servers and open external-facing ports on network devices to maintain encrypted remote access”).
[T1560 ] Archive Collected Data – Compile captured configurations and PCAPs for staging and exfiltration (“Compile configurations and packet captures”).
[T1602.001 ] Data from Configuration Repository: SNMP (MIB Dump) – Target MIBs to collect network information via SNMP (“Target MIB to collect network information via SNMP”).
[T1602.002 ] Data from Configuration Repository: Network Device Configuration Dump – Acquire credentials by collecting device configuration dumps (“Acquire credentials by collecting network device configurations”).
[T1005 ] Data from Local System – Collect PCAP from ISP customer networks on the device (“Passively collect PCAP from specific ISP customer networks”).
[T1090 ] Proxy – Use VPS/proxy infrastructure for C2 (“Use VPS for C2”).
[T1090.003 ] Proxy: Multi-hop Proxy – Use tools like STOWAWAY to build chained relays for C2 and operator access (“Leverage open source multi-hop pivoting tools, such as STOWAWAY, to build chained relays for command and control and operator access”).
[T1071 ] Application Layer Protocol – Open various application-layer services (SSH/SFTP/FTP/HTTP/HTTPS) to communicate and exfiltrate (“Open and expose a variety of different services (e.g., SSH, SFTP, FTP, HTTP, HTTPS)”).
[T1571 ] Non-Standard Port – Use non-standard/high ports to evade detection (“Utilize non-standard ports to evade detection by security monitoring tools that focus on standard port activity”).
[T1572 ] Protocol Tunneling – Create GRE/mGRE/IPsec tunnels on devices for covert channels (“Create tunnels over protocols such as GRE, mGRE, or IPsec on network devices”).
[T1095 ] Non-Application Layer Protocol – Use GRE/IPsec for C2 over non-application layer protocols (“Use GRE/IPsec to carry C2 over non-application layer protocols”).
[T1048.003 ] Exfiltration over Alternative Protocol – Use tunnels (IPsec/GRE) to exfiltrate data (“Use tunnels, such as IPsec and GRE, to conduct C2 and exfiltration activities”).

Indicators of Compromise

[IP Addresses ] APT-associated infrastructure from Aug 2021–Jun 2025 – examples: 1.222.84[.]29, 167.88.173[.]252 (and many others listed in advisory)
[File Hashes ] Custom SFTP client binaries – cmd1 MD5 33e692f435d6cf3c637ba54836c63373, cmd3 MD5 eba9ae70d1b22de67b0eba160a6762d8; and SHA-256 hashes: cmd1 f2bbba1e…, cmd3 8b448f47… (and other clients new2, sft)
[File Names ] On-box capture and staging filenames – mycap (capture name), tac.pcap (exported PCAP filename), 1.pcap
[Network/Port Indicators ] Management and actor-favored ports and services – SSH on high non-default ports (22×22/xxx22), HTTPS on high ports (18xxx), TCP/57722 sshd_operns on IOS XR, TACACS+ on TCP/49
[Yara/IDS Rules ] Detection signatures – Cmd1 Yara rule strings (e.g., “monitor capture CAP”, “main.CapExport”) and Snort rule for CVE-2023-20198 HTTP POST to webui_wsma endpoints

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print