On August 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the United States Department of Defense Cyber Crime Center (DC3) issued a joint advisory (Advisory) highlighting increased cyber threat activity linked to People’s Republic of China (PRC) affiliated threat actors. The Advisory was co-authored and endorsed by international cybersecurity partners from Australia, Canada, New Zealand, the United Kingdom, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain.
The Advisory warns that PRC state-sponsored cyber threat actors are actively targeting networks globally across a wide range of sectors, including telecommunications, government, transportation, lodging, and military infrastructure networks. These actors are known to exploit publicly disclosed vulnerabilities in edge devices—particularly routers—to gain initial access. Routers often lack robust monitoring typically applied to (or in comparison to) endpoints or servers, making them attractive targets for stealthy intrusions.
Once inside organizations’ environments, the threat actors “leverage compromised devices and trusted connections to pivot into other networks” and employ sophisticated evasion techniques, such as modifying router configurations for lateral movement and using non-standard ports, to maintain long-term access for espionage and potential disruption. These tactics include “living off the land,” utilizing legitimate (stolen) credentials and open-source tools that frequently bypass antivirus or endpoint detection and response solutions. Additionally, they are adept at manipulating or deleting logs to erase traces of their activity.
This Advisory comes on the heels of the widely reported infiltration of multiple U.S. telecom agencies by the suspected PRC-affiliated threat actor, Salt Typhoon. Attacks against critical infrastructure by PRC based threat actors have been prevalent for multiple years, as evidenced by increased activity from the groups Volt Typhoon, which is known for infiltrating U.S. based critical infrastructure—including electrical and water distribution systems—and Flax Typhoon, which was recently sanctioned by the Treasury’s Office of Foreign Asset Control (OFAC) for its extensive botnet activities. This Advisory makes clear that PRC-backed threat actors are expanding their focus beyond telecommunications and critical infrastructure to other industries.
The Advisory strongly urges network defenders to proactively hunt for malicious activity and implement recommended mitigations to reduce the threat of PRC-affiliated threats, and it emphasizes the importance of understanding the full scope of the compromise before initiating remediation, as proper sequencing of mitigation steps will help maximize the chances of fully evicting the threat actors from the network. Although the Advisory provides a robust set of technical mitigations for entities to follow, it encourages organizations to implement the following general recommendations to protect against PRC-affiliated cybersecurity attacks:
- Regularly review network device (especially router) logs and configurations for evidence of any unexpected, unapproved, or unusual activity, especially for the activities listed in the Advisory.
- Employ a robust change management process—including periodic auditing of device configurations.
- Attempt to identify the full scope of a suspected compromise before mitigating. Threat hunting and incident response efforts should be balanced against the total potential malicious activity with the goals of full eviction and minimizing damage.
- Disable outbound connections from management interfaces to limit possible lateral movement activity.
- Disable all unused ports and protocols, including both traffic protocols and management protocols.
- Only use encrypted and authenticated management protocols (i.e., SSH, SFTP/SCP, HTTPS) and disable all others (i.e., Telnet, FTP, HTTP).
- Change default administrative credentials, especially for network appliances or other network devices.
- Require public-key authentication for administrative roles, disable password authentication where feasible, and minimize authentication attempts and lockout windows to slow brute force and credential spray attempts.
- Use the vendor recommended version of network device operating systems and keep it updated with all patches. Upgrade unsupported network devices to ones that are supported by the vendor with security updates.
Organizations are encouraged to maintain a high level of readiness during this time of increased international tension and a heightened threat posture. The Alston & Bird Cyber, Privacy, and Data Strategy team will continue to monitor the situation and will provide updates as they develop.
