Global cyber agencies have publicly linked three technology companies based in China with a global malicious cyber campaign targeting critical networks.

In an advisory, the NCSC and international partners from twelve other countries have shared technical details about how malicious cyber activities linked with these China-based commercial entities have targeted nationally significant organisations around the world. 

Cyber Services

The three China-based technology companies provide cyber-related services to the Chinese intelligence services, and are part of a wider commercial ecosystem in China, which includes information security companies, data brokers and hackers for hire.

The named entities are: Sichuan Juxinhe Network Technology Co Ltd, Beijing Huanyu Tianqiong Information Technology Co Ltd, and Sichuan Zhixin Ruijie Network Technology Co Ltd. 

Targeted Organisations

The NCSC claims that since at least 2021, this activity has targeted organisations in critical sectors including government, telecommunications, transportation, lodging, and military infrastructure globally, with a cluster of activity observed in the UK. 

The advisory describes how the threat actors have had considerable success taking advantage of known common vulnerabilities rather than relying on bespoke malware or zero-day vulnerabilities to carry out their activities, meaning attacks via these vectors could have been avoided with timely patching. 

Activities described in the advisory partially overlap with campaigns commonly under the name Salt Typhoon.

NCSC Chief Executive Dr Richard Horne, said: “We are deeply concerned by the irresponsible behaviour of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale.

“It is crucial organisations in targeted critical sectors heed this international warning about the threat posed by cyber actors, who have been exploiting publicly known – and so therefore fixable – vulnerabilities.”

John Hultquist, chief analyst at the Google Threat Intelligence Group, said it has been involved in investigations to “root this actor out of global telecommunications” and while there are many Chinese cyber espionage actors regularly targeting the sector, “this actor’s familiarity with telecommunications systems gives them a unique advantage, especially when it comes to evading detection.”

Hultquist said: “An ecosystem of contractors, academics, and other facilitators are at the heart of Chinese cyber espionage. Contractors are used to build tools and valuable exploits as well as carry out the dirty work of intrusion operations. They have been instrumental in the rapid evolution of these operations and growing them to an unprecedented scale.

“In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals. Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.