The National Security Agency (NSA) and other U.S. and foreign organisations are releasing a joint Cybersecurity Advisory to expose advanced persistent threat (APT) actors sponsored by the Chinese government targeting telecommunications, government, transportation, lodging, and military infrastructure networks globally and outline appropriate mitigation guidance.

The malicious activity outlined in the advisory partially overlaps with cybersecurity industry reporting on Chinese state-sponsored threat actors referred to by names such as Salt Typhoon.

These activities have been linked to multiple China-based entities—including Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.—which provide cyber products and services to China’s Ministry of State Security and People’s Liberation Army.

The CSA, “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” details specific tactics, techniques, and procedures (TTPs) these actors have been found using for initial exploitation, persistence, collection, and exfiltration. Indicators of compromise (IOCs) and common vulnerabilities and exposures (CVEs) exploited by the APT actors are also detailed.

Further, the report provides threat hunting guidance and specific mitigations that organisations are encouraged to implement to search for malicious activity and reduce the threat of Chinese state-sponsored and other APT actors.

These recommendations are especially important for network defenders of telecommunications and critical infrastructure organisations to discover unknown intrusions and prevent undetected malicious activity on their networks.

By utilising the outlined guidance, organisations can also better provide compromise details information to appropriate authorities to continue improving all parties’ understanding of initial access methods.

When threat hunting, the authoring agencies advise that organisations gain a full understanding of the APT actors’ accesses before implementing visible incident response and mitigation actions to maximise the chance of achieving full eviction from compromised networks.

This CSA is being released by the following authoring and co-sealing agencies:

United States National Security Agency (NSA)

United States Cybersecurity and Infrastructure Security Agency (CISA)

United States Federal Bureau of Investigation (FBI)

United States Department of Defense Cyber Crime Center (DC3)

Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)

Canadian Centre for Cyber Security (Cyber Centre)

Canadian Security Intelligence Service (CSIS)

New Zealand National Cyber Security Centre (NCSC-NZ)

United Kingdom National Cyber Security Centre (NCSC-UK)

Czech Republic National Cyber and Information Security Agency (NÚKIB)

Finnish Security and Intelligence Service (SUPO)

Germany Federal Intelligence Service (BND)

Germany Federal Office for the Protection of the Constitution (BfV)

Germany Federal Office for Information Security (BSI)

Italian External Intelligence and Security Agency (AISE)

Italian Internal Intelligence and Security Agency (AISI)

Japan National Cyber Office (NCO)

Japan National Police Agency (NPA)

Netherlands Defence Intelligence and Security Service (MIVD)

Netherlands General Intelligence and Security Service (AIVD)

Polish Military Counterintelligence Service (SKW)

Polish Foreign Intelligence Agency (AW)

Spain National Intelligence Centre (CNI)