China’s global “listening post”: what today’s joint advisory really says
A coalition of cyber agencies (including the UK’s NCSC) has confirmed that Chinese state-sponsored hackers have quietly turned everyday network gear—especially internet routers—into a worldwide espionage system. They did it mostly by exploiting known security flaws and weak configurations, then hiding in plain sight to siphon communications data over long periods.
What happened
A joint Cybersecurity Advisory released today by the US, UK and international partners sets out how PRC-backed “advanced persistent threat” (APT) actors—overlapping with names you may have seen like Salt Typhoon and GhostEmperor—compromised telecoms, government, transport, lodging and military networks across many countries, including the UK. Their goal: build persistent access so they can monitor who’s talking to whom, where, and when.
How the campaign works—in human terms
Think of the internet as a rail network and routers as the signal boxes. The actors found signal boxes with old locks (unpatched devices or weak settings), slipped in, added their own keys (new admin accounts, SSH tunnels), then quietly mirrored traffic or rerouted it through covert “sidings” (GRE/IPsec tunnels) to collection points. Much of this required no new “spy gadgets”—just exploiting already-known vulnerabilities and sloppy configurations.
Initial access: mostly public, known CVEs on edge devices (e.g., Ivanti, Palo Alto PAN-OS, Cisco IOS XE), not exotic zero-days.
Persistence: added or manipulated access-control lists, enabled management services on unusual ports (e.g., high-numbered HTTPS/SSH), and sometimes used on-device Linux containers (“Guest Shell”) to stash tools.
Collection: captured admin logins (e.g., TACACS+/RADIUS) and mirrored in-flight network traffic; staged data for exfiltration via encrypted tunnels that blend in with normal backbone noise.
Key detail: the advisory lists specific CVEs (e.g., CVE-2024-21887, CVE-2024-3400, CVE-2023-20198/2023-20273, CVE-2018-0171) and provides hunting tips (look for TACACS+ on TCP/49, unexpected SSH on high ports like “22x22”, GRE/IPsec tunnels you didn’t authorise).
Why it matters
This isn’t about one company or a single breach. It’s the digital equivalent of planting long-term wiretaps inside the world’s communications backbone. Intelligence gathered from these footholds can map relationships, movements and sensitive operations—across borders and sectors—with little chance of quick detection.
The UK compliance angle (for non-specialists)
The advisory explicitly points UK organisations to NCSC’s Cyber Assessment Framework (CAF) and Ofcom’s Telecommunications Security Act (TSA) guidance as the baseline for defence and assurance. For most businesses outside critical telecoms, Cyber Essentials Plus (CE+) covers the same hygiene layer (secure configuration, access control, patching, malware prevention, and logging)—which, crucially, blocks the exact sorts of basic routes used in this campaign.
What to do next (simple, high-impact steps)
Patch edge devices first, not last. Prioritise internet-facing firewalls, VPNs, and routers against the CVEs called out in the advisory; verify versions, not just “we think it’s patched”.
Lock down management planes. Put SSH/HTTPS/SNMP into a dedicated management network/VRF; block egress from those interfaces; enforce SNMPv3, strong ciphers, and AAA (TACACS+/RADIUS) with logging.
Hunt for quiet persistence. Alert on TACACS+ traffic to unknown IPs, SSH listeners on odd high ports, new tunnels (GRE/IPsec), on-box packet captures (“mycap.pcap”, “tac.pcap”), or sudden log gaps.
Prove baseline compliance. Use NCSC CAF for critical functions and aim for CE+ for broader estates; they’re designed to convert “basic hygiene” into auditable assurance that stops this sort of thing.
No vendor-bashing, just realism
The advisory notes Cisco-specific hardening steps because many backbones run Cisco—but the tactics apply across vendors. The core message is universal: attackers are winning on the basics we already know to implement—and to audit.
Want more briefings like this?
If this helped demystify the headlines, subscribe to The Control Layer for clear, UK-aligned cyber explainers, practical checklists, and board-friendly action plans.