A coalition of international cybersecurity agencies led by the UK’s National Cyber Security Centre (NCSC) has publicly linked three China-based technology companies to a long-running global cyberattack campaign.
In a new advisory, the NCSC and partners from twelve other countries, the United States, Australia, Canada, New Zealand, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain shared technical details about a campaign that has targeted critical networks since at least 2021.
The attacks have impacted several high-profile organisations around the world in sectors like government, telecommunications, transportation, and military infrastructure. The data stolen could ultimately provide Chinese intelligence services with the ability to track communications and movements on a global scale.
An Unrestrained Campaign
According to the advisory (PDF), the three China-based companies, “Sichuan Juxinhe Network Technology Co Ltd,” “Beijing Huanyu Tianqiong Information Technology Co,” and “Sichuan Zhixin Ruijie Network Technology Co Ltd,” provide cyber-related services to China’s intelligence agencies.
NCSC chief executive Dr. Richard Horne expressed deep concern, stating that this activity is an “unrestrained campaign of malicious cyber activities on a global scale.” The campaign partially overlaps with a group commonly known as Salt Typhoon. Other groups linked to this campaign include the following:
A key finding, as per the US National Security Agency’s press release, is that the attackers have been successful not by using new or complex hacking tools, but by taking advantage of old, well-known vulnerabilities that organisations should have already fixed with security updates.
The campaign successfully exploited flaws in devices from major companies like Ivanti (CVE-2024-21887), Palo Alto Networks (CVE-2024-3400), and Cisco (CVE-2023-20273, CVE-2023-20198, and CVE-2018-0171).
This means that many of these attacks could have been easily avoided. Instead of developing new methods, the hackers simply exploit weaknesses that have been left unpatched.
What Organisations Can Do
Given the seriousness of the threat, the agencies are strongly urging organisations to take immediate action. They are advised to proactively look for malicious activity on their networks.
The advisory also provides a specific warning, including that organisations should gain a full understanding of the attackers’ presence before trying to remove them to ensure they can achieve a complete “eviction” from the network.
The advisory also points out the importance of guaranteeing that internet-facing devices are properly secured and that all available security updates are applied. As Dr. Horne emphasised, network defenders must remain vigilant and continuously review their systems for any signs of unusual activity.
Expert Analysis
John Hultquist, the Chief Analyst at Google’s Threat Intelligence Group, provided a statement exclusively to Hackread.com, offering further insight into the threat. He noted that the hacking group has a “unique advantage” in evading detection because of its deep expertise in telecommunications systems.
According to Hultquist, Chinese cyber espionage is powered by an “ecosystem of contractors, academics, and other facilitators” who are used to create tools and carry out the attacks. He explained that this model has allowed their operations to grow to an “unprecedented scale.”
Hultquist also highlighted that the reported targeting of hospitality and transportation sectors suggests a goal beyond corporate espionage: gathering information to “closely surveil individuals” and build a complete picture of who they are communicating with, their location, and where they travel.
