PRC state-sponsored telecom router compromise — the systematic modification of backbone routers at global carriers for long-term persistent access — is the subject of CISA advisory AA25-239a, published August 27, 2025. The advisory, co-signed by the NSA, FBI, and cybersecurity agencies from more than 17 nations including Five Eyes partners and the European Union, documents how threat actors tracked as Salt Typhoon, OPERATOR PANDA, and RedMike implant persistence mechanisms across Provider Edge (PE) and Customer Edge (CE) routers. This guide breaks down every persistence technique from the advisory, maps each to its MITRE ATT&CK technique ID, provides working detection commands for Cisco IOS XE and IOS XR platforms, and lays out a verified eviction sequence network operators can run against suspected compromised infrastructure.
PRC State-Sponsored Telecom Router Compromise: What CISA AA25-239a Documents
Advisory AA25-239a ("Countering Chinese State-Sponsored Actors' Compromise of Networks Worldwide") is the most comprehensive public disclosure to date of how PRC-backed operators modify networking equipment after gaining initial access. Unlike prior advisories that focused on initial exploitation of edge devices, AA25-239a documents the post-compromise persistence layer: the configuration-level and firmware-level changes attackers make to ensure they retain access even after the original vulnerability is patched.
The advisory focuses on two network roles central to telecom infrastructure:
- PE routers (Provider Edge routers — devices at the boundary between a carrier's core network and the customer's network, handling BGP route advertisements and traffic handoff)
- CE routers (Customer Edge routers — the customer-side devices that connect to the provider's PE, often managed by the ISP on the customer's behalf)
Both sit at high-value choke points. PE routers carry routing tables for entire carrier networks; CE router access allows attackers to pivot laterally into enterprise customers without ever touching their internet-facing perimeter.
The co-signature list — CISA, NSA, FBI, GCHQ, ASD, CCCS, NCSC-NZ, and agencies from across the EU and Indo-Pacific — reflects the breadth of observed global compromise. This is not a regional campaign.
Salt Typhoon: The Threat Actor Behind the Campaign
The PRC state-sponsored actors documented in AA25-239a are tracked under multiple names across the threat intelligence community: Salt Typhoon (Microsoft), OPERATOR PANDA (CrowdStrike), RedMike (Recorded Future), and UNC5807 (Mandiant). The advisory links activity to both the Ministry of State Security (MSS) and PLA-aligned support infrastructure without attributing to a specific unit number.
This is not Volt Typhoon, which focuses on living-off-the-land techniques in US critical infrastructure for pre-conflict positioning. Salt Typhoon's mission is strategic signals intelligence: sustained visibility into communications traffic traversing backbone infrastructure at global scale.
The campaign's defining characteristic is patience. Actors dwell undetected inside backbone routers for months, collecting routing telemetry, intercepting unencrypted transit traffic, and staging for deeper enterprise access via PE-to-CE pivoting. The advisory characterises the collected intelligence as feeding a global espionage system — not opportunistic financial crime.
Persistence Techniques and MITRE ATT&CK Mapping
The following techniques are documented in AA25-239a. Each is paired with its MITRE ATT&CK technique ID (the industry-standard adversary behaviour framework maintained by MITRE) and a description of what the modification looks like on a compromised device.
1. ACL Modification (T1601 — Modify System Image)
Actors add entries to router ACLs (Access Control Lists — firewall-like rules governing which IP addresses can reach which management services) to whitelist their own infrastructure. This grants continued management-plane access even if security policies are subsequently tightened or the original vulnerability is patched out.
2. SSH on Non-Standard Ports (T1021.004 / T1098.004)
SSH (Secure Shell — the protocol used for encrypted remote management of network devices) servers are enabled on high-numbered non-standard ports, typically in the 22222 or 18000+ range. Actor-controlled SSH public keys are inserted into the device's authorised keys store. Standard port-based firewall filtering misses these footholds entirely. MITRE T1098.004 covers the authorised-keys manipulation; T1021.004 covers the SSH lateral movement pathway.
3. GRE and IPsec Tunnel Creation (T1572 / T1048)
GRE (Generic Routing Encapsulation — a tunnelling protocol that wraps arbitrary network traffic inside IP packets, making it look like legitimate routing) and IPsec tunnels are created between the compromised router and actor-controlled infrastructure. These tunnels serve as covert command-and-control channels and exfiltration paths, encapsulated inside traffic patterns that appear to be normal carrier routing operations. MITRE T1572 covers protocol tunnelling for C2; T1048 covers exfiltration over alternative protocols.
4. Cisco Guest Shell Abuse (T1609 — Container Administration Command)
Guest Shell is a Linux container (CentOS-based) that runs natively on Cisco IOS XE devices and provides a bash environment for scripting and automation. Actors enable Guest Shell to stage tools, run Python scripts, and process captured data inside a layer that standard IOS logging does not capture. Most network operations teams do not audit Guest Shell command history, making it a low-visibility execution environment for post-compromise activity.
5. IOS XR sshd_operns Service Enabling
On Cisco IOS XR devices — the carrier-grade operating system used on platforms such as the ASR 9000 series that form the backbone of large ISP networks — actors enable the sshd_operns service, which is disabled by default. This opens an SSH listener on TCP port 57722, the IOS XR operations SSH port for the underlying Linux subsystem. Actors then create local accounts with sudo privileges, granting full root OS-level access beneath the IOS XR management plane. This technique has no analogue in enterprise network security playbooks and is missed by most threat detection tooling.
6. TACACS+/RADIUS Redirection (T1556 — Modify Authentication Process)
TACACS+ (Terminal Access Controller Access Control System Plus — the protocol used by most large network operators for centralised router authentication and authorisation) and RADIUS traffic are redirected to actor-controlled servers. This intercepts administrator credentials at authentication time, giving actors valid credentials for every subsequent login attempt by legitimate network staff — including during the eviction process itself if operators are not careful about sequencing.
7. Firmware Hot Patching
Router firmware is modified in memory without a device reboot (hot patching). In more persistent cases, modified bootloaders or replacement IOS images are staged so that the modification survives reboots. This technique is the hardest to detect with command-line auditing alone because no configuration file change is written to disk during the initial implantation.
8. Log Clearing (T1562 — Impair Defenses)
Syslog entries and local device logs are cleared to remove evidence of configuration changes, new account creation, and tunnel establishment. This is typically the last action in a compromise sequence and explains why many affected carriers have no log evidence of the initial intrusion.
9. SNMP Configuration Abuse (T1601)
SNMP (Simple Network Management Protocol — used for remote monitoring and configuration of network devices) community strings are harvested and used to enumerate and modify device configurations across the carrier network at scale, enabling lateral movement to additional routers from a single compromised management station.
MITRE ATT&CK Quick-Reference
| Tactic | Technique | ID | |—|—|—| | Initial Access | Exploit public-facing application | T1190 | | Persistence | SSH authorised keys | T1098.004 | | Persistence | Modify system configuration | T1601 | | Execution | Container administration (Guest Shell) | T1609 | | Lateral Movement | Remote services: SSH | T1021.004 | | Defense Evasion | Modify authentication process (TACACS+) | T1556 | | Defense Evasion | Impair defenses: log clearing | T1562 | | Command & Control | Protocol tunneling (GRE/IPsec) | T1572 | | Exfiltration | Exfiltration over alternative protocol | T1048 | | Collection | Network sniffing | T1040 |
Initial Access: CVEs Exploited for Backbone Router Compromise
Actors gained initial footholds by exploiting publicly known vulnerabilities in internet-exposed network management interfaces. The primary CVEs documented in AA25-239a are:
| CVE | Product | CVSS v3 | Vulnerability Type | |—|—|—|—| | CVE-2023-20198 | Cisco IOS XE Web UI | 10.0 (Critical) | Unauthenticated privilege escalation via HTTP management interface | | CVE-2023-20273 | Cisco IOS XE | 7.2 (High) | Privilege escalation; chained with CVE-2023-20198 for root shell access | | CVE-2018-0171 | Cisco Smart Install | 9.8 (Critical) | Unauthenticated RCE via Smart Install protocol | | CVE-2024-21887 | Ivanti Connect Secure | 9.1 (Critical) | Command injection in SSL VPN web interface | | CVE-2024-3400 | Palo Alto GlobalProtect | 10.0 (Critical) | Unauthenticated RCE via path traversal in GlobalProtect gateway |
CVE-2023-20198 is particularly significant: it allows creation of a privileged local account on any internet-facing IOS XE device with the Web UI enabled, with no credentials required. It was widely mass-exploited in October 2023. Any organisation that had this CVE unpatched on management-facing interfaces should treat routing infrastructure accessible from those devices as potentially compromised until verified.
PRC State-Sponsored Telecom Router Compromise Detection: Step-by-Step Checklist
Run the following checks on all PE and CE routers. Commands target Cisco IOS XE and IOS XR — adjust for Juniper JunOS (show configuration | compare rollback) or Nokia SR OS (info and compare) equivalents.
Step 1 — Audit ACLs for unauthorised entries
show ip access-lists
show ipv6 access-lists
show running-config | section ip access-list
Compare output against your documented ACL baseline. Flag any entries that permit management traffic (SSH, HTTPS, SNMP, Telnet) from IP ranges not in your approved management network. Pay particular attention to permit-any or overly broad entries added after your last change-management window.
Step 2 — Check for SSH on non-standard ports
show control-plane host open-ports
show running-config | include ip ssh port
show running-config | include ssh
Look for SSH listeners on any port other than 22. Any ip ssh port directive binding SSH to a non-standard port is a strong indicator of actor modification.
Step 3 — Audit SSH authorised keys and local accounts
show running-config | include username
show public-key chain
show running-config | section aaa
Cross-reference every local username and every SSH public key against your provisioning records. Accounts not traceable to a change ticket are unauthorised. On IOS XE:
show users
show ip ssh
Step 4 — Check for unauthorised tunnel interfaces
show interfaces | include Tunnel
show running-config | section interface Tunnel
show ip interface brief | include Tunnel
show interfaces tunnel summary
Document every tunnel interface. Any GRE or IPsec tunnel not provisioned as part of an approved carrier circuit or VPN should be treated as actor-implanted infrastructure. Check tunnel source and destination addresses against your known-good IP inventory.
Step 5 — Inspect Cisco Guest Shell (IOS XE)
show app-hosting list
show app-hosting detail appid guestshell
If Guest Shell is running, inspect it:
guestshell run bash
Inside the bash session:
history
cat /home/guestshell/.bash_history
ps aux
netstat -tulnp
ls -la /bootflash/
If Guest Shell is running and your organisation did not provision it for approved automation, disable it immediately:
no guestshell enable
Step 6 — Check IOS XR sshd_operns and TCP/57722
show running-config | include sshd
On the IOS XR Linux subsystem (reached from the IOS XR management plane via run or bash):
systemctl status sshd_operns
ss -tulnp | grep 57722
cat /etc/ssh/sshd_config
The sshd_operns service should be disabled in a clean environment. Any listener on TCP/57722 not explicitly provisioned is a critical finding. Check for local accounts in /etc/passwd that were not created by your provisioning system.
Step 7 — Verify TACACS+/RADIUS server configuration
show running-config | include tacacs-server
show running-config | include tacacs server
show running-config | include radius-server
show running-config | section aaa group
Verify that every TACACS+ and RADIUS server IP address matches your approved authentication server inventory. Any unknown IP receiving authentication traffic is a critical finding. Cross-reference against your TACACS+ server logs to confirm traffic origin.
Step 8 — Check SNMP community strings and version
show running-config | include snmp-server community
show running-config | include snmp-server host
show snmp
Revoke all SNMP v1/v2c community strings and rotate SNMPv3 credentials. If your platform supports SNMPv3, migrate immediately — v1 and v2c community strings are transmitted in plaintext and trivially interceptable on a router that also handles transit traffic.
Step 9 — Compare running config to startup config and backup
show running-config
show startup-config
Diff these two outputs manually or via your NMS (Network Management System — the platform used to centralise device configuration backups and change auditing). Any delta not explained by an approved change represents an in-memory modification that has not been saved — consistent with hot patching or live configuration changes made without operator knowledge.
Step 10 — Verify firmware integrity
show version
verify /md5 flash:/<ios-image-filename>
Compare the reported MD5 hash against the vendor-published hash for the installed IOS version on Cisco Software Central. Hashes that do not match vendor-published values indicate firmware tampering. For IOS XR:
show install active summary
show platform security integrity dossier
The integrity dossier command on supported IOS XR platforms produces a cryptographically signed report of boot measurements that can be compared against Cisco's reference values.
Eviction and Hardening Guide
If the detection checklist identifies confirmed or suspected compromise, execute eviction in the following sequence. Sequence matters: performing eviction while actors retain TACACS+ credential interception (Step 6 in the advisory's documented technique list) means your new credentials are compromised the moment you type them.
- Isolate the management plane first. Before touching device configuration, sever the actor's visibility: redirect all TACACS+ and RADIUS traffic to your known-good authentication servers. Block management access from all IP ranges except your out-of-band management network. Do this before rotating any credentials.
- Apply all outstanding patches for CVE-2023-20198, CVE-2023-20273, CVE-2018-0171, CVE-2024-21887, and CVE-2024-3400 on all affected and adjacent devices. Also audit for Cisco Smart Install (
show vstack config) and disable it if not required (no vstack).
- Restore from a known-good configuration backup predating the suspected compromise window. If no pre-compromise backup is available, rebuild the configuration from your documented baseline. Do not simply remove the specific modifications found in detection — you may not have found all of them.
- Remove all unauthorised accounts and SSH keys. Cross-reference against provisioning records. On IOS XE, remove individual keys with
no username <name>. On IOS XR Linux, edit/etc/passwdand/root/.ssh/authorized_keysafter the OS is booted from a verified image.
- Remove all unauthorised tunnel interfaces with
no interface Tunnel <number>and verify removal withshow interfaces. Check both running and startup configuration to confirm deletion persisted.
- Disable Guest Shell on IOS XE if not in approved use:
no guestshell enable. Disablesshd_opernson IOS XR:systemctl disable sshd_operns && systemctl stop sshd_operns.
- Rotate all credentials. Rotate TACACS+/RADIUS pre-shared keys, SNMPv3 auth and priv passwords, enable secret, SSH host keys (
crypto key generate rsa modulus 4096), and any management-plane TLS certificates. Assume every credential that has been used on a compromised device is known to the actor.
- Verify firmware integrity on every affected device. If the IOS image hash does not match vendor-published values, engage Cisco TAC (or the relevant vendor's incident response team) for a hardware-level forensic assessment before returning the device to production.
- Enable immutable syslog forwarding to a log aggregator that the router cannot write to or delete from. The syslog destination must be reachable from the device but not modifiable by any management-plane account on the device. Segment syslog infrastructure from the management plane.
- Implement MFA (Multi-Factor Authentication — requiring two or more factors to authenticate, so that a stolen password alone is insufficient) for all management-plane access via TACACS+ or RADIUS. Restrict management access to a dedicated out-of-band network not reachable from transit interfaces. Implement NETCONF/YANG-based configuration management with cryptographic signing where platform support exists.
Impact: What Persistent Backbone Access Enables
An actor with months of sustained access to PE routers at a carrier network can:
- Intercept unencrypted transit traffic in bulk — authentication sessions, email metadata, VoIP calls, and DNS queries traversing the network (MITRE T1040, Network Sniffing). At carrier scale, this represents intelligence collection across thousands of enterprise customers simultaneously.
- Manipulate BGP routing announcements (BGP — Border Gateway Protocol, the routing protocol that determines how traffic moves between networks on the internet) to redirect specific traffic flows through actor-controlled infrastructure before delivering them transparently to the legitimate destination. BGP hijacking at this layer is largely invisible to affected organisations.
- Pivot from PE to CE to gain initial access into the enterprise networks of telecom customers. Actors compromise one carrier router and reach hundreds of downstream enterprise environments without touching any of their internet-facing perimeters.
- Pre-position for destructive effects. Router configuration modification can be used to cut circuits or black-hole specific IP prefixes during a conflict or crisis. The advisory notes that this campaign supports long-term espionage, but the access model is identical to the pre-positioning infrastructure documented in prior CISA advisories on Volt Typhoon and PRC critical infrastructure targeting.
Conclusion
CISA AA25-239a documents a campaign operating inside backbone telecom infrastructure using techniques most network security teams were not actively hunting. The detection checklist in this guide takes under an hour to run on a single device — and the findings determine whether a full forensic engagement is warranted. If you identify compromise, the single most important sequencing rule is to isolate the management plane from actor visibility before rotating credentials: actors with TACACS+ interception intact will harvest every new password you set during the eviction process.
For the broader picture of how PRC-nexus actors build persistent infrastructure from edge routers and cameras, see our analysis of the CISA advisory on China-nexus covert networks. For the detection-evasion techniques state-sponsored operators use to stay hidden after initial compromise, see the threat actor OPSEC evasion playbook. Network defenders tracking ICS exposure on management networks should also review our NSA GRASSMARLIN coverage.
Subscribe to our weekly threat digest for the next CISA advisory breakdown before it circulates in your team Slack →
For any query contact us at contact@cipherssecurity.com
