China’s state-sponsored hackers have been operating in the shadows for years. But in 2025, American intelligence agencies decided to go public loudly. The National Security Agency (NSA), working alongside CISA (Cybersecurity and Infrastructure Security Agency) and the FBI, released a landmark Joint Cybersecurity Advisory that details one of the most advanced and persistent cyber espionage operations ever documented.
The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through July 2025. It also reflects overlapping indicators with industry reporting on Chinese state-sponsored threat groups such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others.
The Scale of China Cyber Espionage
The China cyber espionage campaign exposed by NSA Cybersecurity officials is staggering in its reach. A joint Cybersecurity Advisory was issued by CISA, NSA, FBI, and allied cybersecurity agencies across the Five Eyes, EU, and partner nations. It details a long-term espionage campaign by People’s Republic of China (PRC) state-sponsored actors linked to companies supporting the Ministry of State Security (MSS) and People’s Liberation Army (PLA).
The APT actors have been performing malicious operations globally since at least 2021. These operations have been linked to multiple China-based entities, including at least Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security.This is not random hacking. It is a coordinated, government-backed intelligence operation.
What the Joint Cybersecurity Advisory Reveals
The Joint Cybersecurity Advisory is a detailed technical document that exposes how PRC-linked hackers operate. These PRC-linked threat actors are targeting networks in the telecommunications, government, transportation, lodging, and defense sectors, often focusing on compromising large backbone routers, provider and customer edge routers, compromised devices, and trusted connections to move into other networks. Moreover, “these actors often modify routers to maintain persistent, long-term access to networks.”
This cluster of cyber threat activity has been observed in the United States, Australia, Canada, New Zealand, the United Kingdom, and other areas globally.The CISA China threat, in other words, is not just America’s problem it is a worldwide crisis.
The NSA Cybersecurity team further noted that the hackers were remarkably disciplined. Tracking activity back to 2021, the agencies said the threat actors have had “considerable success” exploiting publicly known vulnerabilities, but no zero-day exploitation was observed to date.
How the Hackers Operate
The methods used in this China cyber espionage campaign are highly sophisticated. The actors tracked in industry reporting as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor have systematically compromised telecommunications, government, transportation, lodging, and military networks worldwide. Their operations focus on exploiting backbone routers and trusted interconnections, modifying infrastructure for long-term access, and exfiltrating data to power global surveillance and espionage systems.
To maintain access, the APTs use multiple tactics including modifying Access Control Lists (ACLs) to add IP addresses, opening standard and non-standard ports, enabling SSH servers, opening external-facing ports on network devices, creating tunnels over protocols, and enumerating and altering the configuration of other devices on the network.
The national security gov community describes this as a “living on the land” strategy using legitimate tools and network features to avoid detection.
The Scattered Spider FBI Advisory: A Parallel Threat
While the CISA China advisory focuses on state-sponsored actors, a separate but equally alarming Scattered Spider FBI Advisory was issued in July 2025. CISA, along with the Federal Bureau of Investigation, Canadian Centre for Cyber Security, Royal Canadian Mounted Police, the Australian Cyber Security Centre’s Australian Signals Directorate, and the Australian Federal Police and National Cyber Security Centre, released an updated Joint Cybersecurity Advisory on Scattered Spider a cybercriminal group targeting commercial facilities sectors and subsectors.
The notorious gang has expanded its targeting in recent months to include retailers, insurers, and airlines in multiple countries. Although it has focused primarily on targets in the U.K. and the U.S., the group recently caught the attention of Canadian and Australian authorities, which co-signed the new advisory along with the U.K.
Scattered Spider extortionists have changed their tactics and are now breaking into victims’ networks using savvier social engineering techniques, searching for organizations’ Snowflake database credentials, and deploying a handful of new ransomware variants, most recently DragonForce.
The Scattered Spider FBI Advisory makes clear that both nation-state actors and cybercriminal gangs are escalating at the same time a dangerous convergence for national security gov defenders.
Official Quotes
The Joint Cybersecurity Advisory carries weight not just from its technical detail but from the officials who stand behind it.
“CISA and our partners are committed to equipping critical infrastructure owners and operators with the intelligence and tools they need to defend against sophisticated cyber threats,” said Madhu Gottumukkala, Acting Director of CISA.
Security experts also offered pointed analysis. Trey Ford, chief strategy and trust officer at Bugcrowd, says that with this advisory, agencies like CISA are trying to burn China’s efforts “in a very public way, driving up the cost and operational overhead of any targeted operations in motion.”
Frankie Sclafani, director of cybersecurity enablement at Deepwatch, says CISA’s advisory is urgent because it highlights the recent “critical shift” from Chinese state-sponsored activity from being purely espionage to something more invasive.
What CISA China and NSA Cybersecurity Recommend
The national security gov response isn’t just about naming the threat it’s about fixing it. The recommended mitigations in this Joint Cybersecurity Advisory include patching known exploited vulnerabilities, enabling centralized logging, and securing edge infrastructure. These steps are critical to reducing the risk of compromise and ensuring the resilience of systems that underpin national and economic security.
CISA, NSA, and FBI assess that Chinese government-linked APT actors are positioning themselves within information technology networks, enabling lateral movement to operational technology systems the hardware and software that control critical infrastructure.
The NSA Cybersecurity Collaboration Center, working with CISA China threat teams, also acknowledged industry partners including Amazon Web Services, Cisco Talos, CrowdStrike, Google Mandiant, and Microsoft for contributing to the advisory.
Global Impact
The China cyber espionage campaign exposed in this Joint Cybersecurity Advisory has profound consequences beyond any one country. The relatively recent breach of U.S. telecommunications infrastructure by Chinese government-linked Salt Typhoon actors underscores the growing scope and sophistication of China’s cyber capabilities.
For allied nations, the message from the national security gov community is stark: no country is immune. The Five Eyes intelligence alliance comprising the U.S., U.K., Canada, Australia, and New Zealand has co-signed the advisory, a rare and powerful signal of collective concern.
Businesses in telecoms, transport, hospitality, and defense must now treat NSA Cybersecurity and CISA China threat alerts as board-level emergencies, not just IT department memos.
Conclusion
The dual release of the CISA China Joint Cybersecurity Advisory and the Scattered Spider FBI Advisory in 2025 marks a turning point in how national security gov agencies communicate cyber threats to the public. The NSA Cybersecurity community has gone further than ever before in naming actors, exposing tactics, and demanding urgent action.
China cyber espionage is no longer a classified intelligence concern it is a publicly acknowledged, globally coordinated crisis. Organizations that fail to act on these warnings risk becoming the next headline.
The NSA gift shop may sell branded merchandise, but the most valuable thing the NSA Cybersecurity team is offering right now is intelligence and it is urging everyone to use it.
FAQs
What is the AI war between China and the US?
The AI war between China and the US refers to the intense geopolitical and technological competition to dominate artificial intelligence development, military applications, and economic infrastructure. Both nations are racing to lead in AI-powered surveillance, autonomous weapons, cyberwarfare tools, and economic productivity. This competition overlaps with China cyber espionage activities, where state-sponsored hackers steal research and intellectual property to accelerate China’s AI ambitions.
Which country is No. 1 in AI?
As of 2025, the United States is widely considered the global leader in AI based on research output, private investment, and the dominance of companies like Google, Microsoft, OpenAI, and Anthropic. However, China is a close and rapidly closing competitor, particularly in AI applications, surveillance technology, and state-backed AI deployment. The NSA Cybersecurity community has flagged China’s aggressive efforts including cyber espionage as part of its strategy to close this gap.
What is the 30% rule in AI?
The “30% rule” in AI generally refers to the idea that AI systems should not be trusted to make fully autonomous decisions in contexts where errors carry serious consequences maintaining at least 30% human oversight or intervention. It is often cited in discussions about AI governance, military use of autonomous systems, and ethical deployment frameworks. In the context of NSA Cybersecurity and national security gov policy, it speaks to the need for human-in-the-loop controls when AI is used in cybersecurity defense or offensive operations.
