Chinese Threat Actor Activity Targets Edge Routers, Canadian Cybersecurity Center Warns

• The Canadian Cybersecurity Center’s new technical advisory warns of increased cyber threat activity from China.
• Threat actors target network edge routers across critical infrastructure sectors in Canada.
• Some activity was associated with the China-backed threat actor tracked as Salt Typhoon. 

A critical advisory regarding escalating activity involving threat actors associated with the People’s Republic of China was issued in Canada. It warns of an increase in targeting and compromising of network edge routers, particularly across critical infrastructure sectors. 

The Canadian Center for Cyber Security (Cyber Center)  advisory mentions that some of the clusters were linked to the China-backed Salt Typhoon group, which was established to have been behind the 2024 AT&T and Verizon cyberattacks.

Edge routers, being the first line of defense at network perimeters, remain a priority target due to their role in managing data traffic between networks. 

The Cyber Center has identified repeated exploits of edge routers stemming from unpatched vulnerabilities, misconfigurations, and inadequate cryptographic protections, which would allow attackers the ability to exfiltrate data and modify network traffic. 

Threat actors have also been observed employing mass scanning and reconnaissance techniques to quickly identify and compromise devices with exposed interfaces or administrative services. Misconfiguration of these devices further heightens the risk, creating pathways for advanced persistence and lateral movement within networks.

Attackers focus on exposed services to the internet, weak or default credentials, poor device configuration, modification and exfiltration of configuration files, and execution of unauthorized commands. 

Some common threat actor tactics include brute forcing, abnormal logins, clearing logs, adding new attacker-controlled accounts to the device, and altering configuration files.

Deployment without vendor-recommended hardening guides or failure to routinely audit configurations has been a leading cause of compromise. Threat actors often extract sensitive configuration data to study vulnerabilities or implement unauthorized persistent access mechanisms.

In January, the U.S. Treasury Department sanctioned alleged hacker Yin Kecheng and the Sichuan Juxinhe Network Technology Company, who were linked to the Salt Typhoon threat actor and accused of breaching the OFAC networks and several telecom giants.