Chinese APT campaign against network equipment providers - analysis and takeaways
Analysis of the Chinese APT campaign targeting network device providers worldwide - attack techniques, exploited vulnerabilities, supply chain implications, and defensive recommendations.
Józef Sulwiński 
In June 2022, CISA, NSA, and FBI issued a joint advisory (AA22-158A) describing a broad campaign by Chinese APT groups targeting network and telecommunications equipment providers. The campaign, ongoing since at least 2020, involved the compromise of routers, switches, firewalls, and NAS devices from vendors including Cisco, Fortinet, Netgear, MikroTik, QNAP, and Zyxel.
This was not an attack on one company or one sector. It was a systematic operation to build positions within global network infrastructure - creating a network of footholds from which to conduct intelligence operations, intercept network traffic, and prepare future offensive actions.
Anatomy of the campaign
Initial vector - known vulnerabilities
Chinese APT groups did not use advanced zero-days in this campaign. Instead, they systematically exploited known, patched vulnerabilities in network devices that administrators had not updated:
| CVE | Product | Vulnerability type | CVSS |
|---|---|---|---|
| CVE-2018-0171 | Cisco IOS, IOS XE | Smart Install RCE | 9.8 |
| CVE-2019-11510 | Pulse Secure VPN | Arbitrary file read | 10.0 |
| CVE-2019-15271 | Cisco Small Business RV Series | RCE | 8.8 |
| CVE-2019-1652/1653 | Cisco Small Business RV320/325 | Command injection + info disclosure | 7.2/5.3 |
| CVE-2020-8515 | DrayTek Vigor | Pre-auth RCE | 9.8 |
| CVE-2021-36260 | Hikvision cameras | Command injection | 9.8 |
| CVE-2021-26855 | Microsoft Exchange (ProxyLogon) | SSRF/RCE | 9.8 |
It is worth noting: the oldest vulnerability on the list dates from 2018. At the time of its exploitation in 2022, the patch had been available for four years.
WARNING
Over 80% of initial vectors in this campaign exploited vulnerabilities for which patches had been available for at least one year. The problem was not a lack of knowledge about the threat, but a lack of systematic network device update management.
Persistence techniques
After gaining initial access, the attackers employed advanced persistence techniques:
Router firmware modification. In several cases, attackers uploaded modified firmware to Cisco routers, adding a backdoor operating below the operating system layer. Such a backdoor survived device restarts and could evade detection by standard diagnostic tools.
Traffic tunneling. Attackers created hidden VPN tunnels and proxies, routing traffic through compromised devices. To the network operator, the traffic appeared as normal communication - but in reality it served data exfiltration and C2 communication.
Living off the land. Using built-in network device tools (CLI, SNMP, TFTP) for reconnaissance and configuration exfiltration. The absence of additional software meant no artifacts for anti-malware tools to detect.
Campaign targets
CISA identified several target categories:
- Telecommunications service providers - access to routing infrastructure enabling traffic interception
- Managed service providers (MSP) - MSP compromise grants access to their clients’ networks
- Critical infrastructure operators - energy, water, transportation
- Government and defense organizations - traditional espionage targets
Context - Volt Typhoon and Salt Typhoon
The campaign described in AA22-158A was not isolated. It was part of a broader pattern of Chinese cyber operations that in subsequent years were linked to groups:
Volt Typhoon (disclosed in May 2023 by Microsoft) - a group targeting US critical infrastructure, including telecommunications, energy, water, and transportation sectors. Volt Typhoon employed “living off the land” techniques, using exclusively built-in system tools and compromised SOHO (small office/home office) devices as proxies.
Salt Typhoon (disclosed in 2024) - a group that compromised the networks of at least nine US telecommunications providers, gaining access to lawful intercept systems and communication metadata.
These campaigns share a common methodology: compromise of edge devices (routers, firewalls, VPNs), maintenance of long-term, quiet access, and positioning within critical infrastructure.
Why network devices are attractive targets
Network devices occupy a special position in security architecture:
- They see all traffic - a router or switch in a key network position has access to data that passes through no other monitoring device
- Rarely updated - firmware update cycles for routers in many organizations span months or years, not weeks
- Poorly monitored - many organizations do not collect logs from network devices, or collect them without analysis
- No EDR - you cannot install an EDR agent on a router or switch to detect anomalous behavior
- Trusted positions - traffic from an edge router or firewall is typically treated as trusted by internal systems
TIP
One of the most effective defenses against this type of campaign is a configuration and firmware baseline for network devices. Regular comparison of the current configuration and firmware checksums against the approved version helps detect unauthorized modifications.
Defensive recommendations
Network device vulnerability management
- Implement a network device patching process with an SLA no longer than 30 days for critical vulnerabilities
- Inventory all network devices with firmware versions
- Subscribe to vendor security alerts (Cisco PSIRT, Fortinet PSIRT)
- Regularly scan devices for known vulnerabilities
Monitoring and detection
- Collect and analyze network device logs (syslog, SNMP traps)
- Monitor device configuration changes (RANCID, Oxidized, Cisco DNA Center)
- Firmware integrity verification - compare hashes against official vendor versions
- Monitor anomalous traffic patterns (unusual outbound connections from network devices)
Architecture
- Network segmentation limiting the scope of a single device compromise
- Disable unused services on network devices (Smart Install, SNMP v1/v2c, Telnet)
- Enforce encrypted management (SSH over Telnet, HTTPS over HTTP, SNMPv3)
- Dedicated management network (out-of-band management) separate from production traffic
Supply chain
- Firmware integrity verification before installation (compare hashes against official sources)
- Audit managed service providers (MSPs) for their security practices
- Control vendor access to network infrastructure (supervised sessions, logging)
Conclusions
The Chinese campaign against network equipment providers is an operation at a scale that demands a shift in how we approach network infrastructure security. Edge devices - routers, firewalls, VPN gateways - cannot be treated as “black boxes” that only need power after installation. They require the same level of security management as servers and workstations: regular updates, monitoring, integrity verification, and access control.
Organizations without a network device update management process should treat this as a priority. Four years after the CVE-2018-0171 patch was published, vulnerable devices were still being exploited - this is not a technology problem, it is an organizational one.
Sources:
- CISA Alert AA22-158A, People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices - cisa.gov
- Microsoft, Volt Typhoon targets US critical infrastructure with living-off-the-land techniques - microsoft.com
- CISA, PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure - cisa.gov
- NSA, Network Infrastructure Security Guidance - nsa.gov
Need help in this area?
Our experts will help you assess the risk and plan next steps.