Daily Drop (1123)

08-29-25

Friday, Aug 29, 2025 // (IG): BB // GITHUB // SN R&D

CISA, NSA, FBI Warn of Salt Typhoon as Part of China’s Expanding Global Espionage Campaign

Bottom Line Up Front (BLUF): A joint advisory released on August 28, 2025, by CISA, the NSA, and the FBI—alongside cybersecurity agencies from 12 allied nations—warns of a "global espionage system" operated by Chinese state-backed actors. The advisory links advanced persistent threat (APT) clusters, including Salt Typhoon, to long-term intrusions in critical infrastructure sectors via known vulnerabilities in network devices.

Analyst Comments: This sweeping advisory signals a turning point in international cyber threat posture toward China. Salt Typhoon’s transition from espionage to deep infrastructure penetration suggests pre-positioning for potential disruptive attacks. Targeting routers and authentication protocols reveals a strategic aim to undermine core systems at the network level. By exposing China's tactics and naming its APTs, allied nations are pushing back on Beijing’s denials while increasing pressure for global cyber defense collaboration.

FROM THE MEDIA: The advisory, cosigned by cybersecurity authorities from 12 countries, outlines how these actors exploit known vulnerabilities in Cisco IOS XE, Ivanti Connect Secure, and Palo Alto’s PAN-OS to compromise telecom, defense, transportation, and government networks. The agencies warn that these actors modify routers and firewalls to maintain persistent access and facilitate lateral movement by capturing credentials and manipulating authentication infrastructure. Experts cited in the report, including leaders from Bugcrowd and Deepwatch, stress the advisory’s urgency, noting the shift from passive surveillance to active network positioning for future disruption. The advisory includes mitigations and IOCs to help defenders identify and evict intrusions.

READ THE STORY: DR

Dutch Intelligence Confirms Chinese Cyber-Espionage Targeted Local Infrastructure via Salt Typhoon Campaign

Bottom Line Up Front (BLUF): Dutch intelligence agencies have verified that Chinese state-sponsored hacking groups, notably Salt Typhoon and RedMike, targeted internet service and hosting providers in the Netherlands. While the intrusions did not penetrate internal networks, attackers gained access to routers, highlighting an ongoing and growing cyber-espionage threat from China.

Analyst Comments: By compromising router-level devices, attackers can monitor traffic, identify vulnerabilities, and launch follow-up attacks. The global nature of these operations, confirmed by joint statements from 13 countries, suggests a coordinated response is necessary. Such campaigns' persistent and sophisticated nature reflects China's long-term investment in building comprehensive cyber-intelligence capabilities.

FROM THE MEDIA: According to the Dutch Ministry of Defence, smaller internet and hosting providers were affected, with attackers accessing routers but not progressing deeper into internal systems. The findings resulted from an investigation by the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD). The announcement follows a joint advisory issued with 12 other nations, which also pointed to the involvement of Chinese tech companies in supporting these campaigns. The threat actors have been linked to prior espionage efforts against U.S. presidential campaigns and infrastructure in dozens of other countries. Authorities warn that the level of sophistication requires constant vigilance to maintain national cybersecurity resilience.

READ THE STORY: The Record

CISA Issues Threat Hunting Guide to Counter Salt Typhoon and Other Chinese APTs

Bottom Line Up Front (BLUF): The guide targets actors such as Salt Typhoon, RedMike, and UNC5807, offering technical detection playbooks and mitigation steps for securing backbone routers and network edge devices.

Analyst Comments: Salt Typhoon’s emphasis on long-term router compromise and lateral movement shows a broader move from passive espionage to strategic positioning within critical infrastructure. The guide’s actionable recommendations—such as auditing SSH listeners and tracking Linux container activity—highlight the increasing technical depth of attacker and defender capabilities. With international cooperation embedded in this advisory, the message to China is coordinated and clear.

FROM THE MEDIA: These include exploits of known vulnerabilities such as CVE-2023-20198 (Cisco IOS XE), CVE-2024-21887 (Ivanti Connect Secure), and CVE-2024-3400 (Palo Alto PAN-OS). The advisory covers configuration auditing, detection of unauthorized packet capture, container monitoring, and monitoring of TACACS+/RADIUS traffic for signs of credential abuse. CISA urges network defenders to implement VRF-based management isolation, enforce secure logging, disable unused services, and adopt MITRE D3FEND techniques. This joint initiative by agencies across North America, Europe, and Asia-Pacific underscores a shared commitment by the Chinese government to counter the long-term cyber infiltration of critical global infrastructure.

READ THE STORY: GBhackers

Beijing Denies Dutch Cyber Espionage Allegations as Intelligence Reports Point to Ongoing Threats

Bottom Line Up Front (BLUF): The Chinese Embassy in the Netherlands has rejected accusations of state-backed cyberattacks, calling the claims “groundless.” However, Dutch intelligence and defense officials assert that Chinese cyber espionage is intensifying, particularly against critical sectors such as semiconductors and aerospace.

Analyst Comments: This diplomatic denial mirrors China’s standard narrative when accused of cyber operations: deflection, victimhood, and calls for cooperation. However, the Dutch government’s consistent reporting and legislative response suggest the threat is real and recognized at the highest levels. The stakes are high with targeted industries tied to national security and economic competitiveness. If the Salt Typhoon operation is substantiated as part of this pattern, it could deepen distrust and further isolate China diplomatically in Europe.

FROM THE MEDIA: A Chinese state-affiliated outlet published a statement from the Chinese Embassy in the Netherlands dismissing cyberattack allegations as “groundless.” The embassy emphasized that China is both a defender and victim of cyberattacks, calling for cooperation instead of “smearing” by Dutch authorities. This statement came months after Dutch Defence Minister Ruben Brekelmans publicly warned of rising cyber threats from China, specifically targeting the semiconductor industry. Reports from Dutch military intelligence (MIVD) in 2023 and 2024 confirmed that Chinese hackers accessed a Dutch military network and conducted espionage operations against high-tech sectors. In response, the Netherlands passed new espionage legislation in 2025, imposing harsh penalties for digital spying and explicitly referencing China as a key threat. Independent reporting from Reuters has consistently validated these concerns with supporting intelligence sources.

READ THE STORY: GT

Intel Deal Ties Chipmaker to U.S. Strategic Goals, Blocks Potential Sale of Foundry Unit

Bottom Line Up Front (BLUF): The Trump administration has converted $8.9 billion in CHIPS Act grants into a 10% equity stake in Intel, effectively anchoring the company’s struggling foundry business to U.S. national security priorities. The deal includes a clause preventing Intel from reducing its majority stake in the foundry unit for five years, deterring potential spinoffs or sales.

Analyst Comments: With Taiwan’s TSMC still dominating advanced chip production, the U.S. government is betting that backing Intel’s foundry—even at a loss—is essential for future supply chain resilience. However, the move also introduces unprecedented state influence over a major U.S. tech company. While it may fend off foreign takeovers and reassure defense customers, Intel now faces scrutiny from both regulators and shareholders over government entanglement.

FROM THE MEDIA: The deal gives the U.S. government a 10% equity stake and includes a five-year warrant for an additional 5% if Intel divests control of the foundry business. This condition aligns with national security goals, as intelligence officials reportedly convinced the DOJ that keeping the foundry under U.S. control is vital for countering China's dominance via Huawei and TSMC. Intel lost $13 billion last year from the foundry arm and has faced investor pressure to offload it. The ousting of former CEO Pat Gelsinger, who championed the foundry push, had fueled speculation of a sale. However, the federal stake and additional investments from SoftBank and Silver Lake now secure the business under U.S. strategic influence, regardless of profitability.

READ THE STORY: FT