Hackers employed by the Chinese government have broken into numerous major telecommunications firms around the world in a cyber-espionage campaign that has lasted at least two years, according to a new advisory from American security agencies. 

The hackers allegedly breached their targets by exploiting old and well-known critical vulnerabilities in popular networking hardware. Once they had a foothold inside their targets, the hackers used the compromised devices to gain full access to the network traffic of numerous private companies and government agencies, US officials said.

The advisory did not include the names of those affected by the campaign, nor did it detail the impact it has had. But US officials did point out the specific networking devices, such as routers and switches, that hackers in China are thought to have targeted repeatedly, exploiting severe and well-known vulnerabilities that effectively gave the attackers free rein over their targets.

“These devices are often overlooked by cyber defenders,” the American advisory warned. They “struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.”

The new advisory is the latest example of a radical shift among US intelligence agencies away from a culture of silence and secrecy. The organizations now routinely speak publicly to issue cybersecurity guidance. The new document is designed to help victims detect and eject hackers who have been infiltrating their networks for years. 

And it’s something bigger, too: a warning about the need for better basic cybersecurity for some of the most important networks in the world.

High risk of attack

Telecommunication firms are extremely high-value targets for intelligence agencies. These companies build and run on most of the infrastructure of the internet as well as many private networks around the world. Successfully hacking them can mean opening doors to an even bigger world of prized spying opportunities. 

The United States has its own documented history of such attacks. The National Security Agency, for example, once infiltrated the Chinese telecom and internet giant Huawei, reportedly both to spy on the company itself and to exploit the networking and telecommunications products Huawei sells worldwide. Ironically, that operation was prompted in part by continuing American fears that Beijing could use Huawei’s hardware to spy on American interests.

In the newly reported cyber campaign, the Chinese hackers allegedly exploited networking devices from major vendors like Cisco, Citrix, and Netgear. All of the vulnerabilities were publicly known, including a five-year-old critical flaw in Netgear routers that allows attackers to bypass authentication checks and execute any code they choose—an opening that allows for a full takeover of the device and an unfettered window into the victim’s network.

The campaign’s success is a dramatic illustration of the danger software flaws pose even years after they’re discovered and made public. Zero-day attacks—hacks exploiting previously unknown weaknesses—pack a punch and demand attention. But known flaws remain potent because networks and devices can be difficult to update and secure with limited resources, personnel, and money.

Rob Joyce, a senior National Security Agency official, explained that the advisory was meant to give  step-by-step instructions on finding and expelling the hackers. “To kick [the Chinese hackers] out, we must understand the tradecraft and detect them beyond just initial access,” he tweeted.

Joyce echoed the advisory, which directed telecom firms to enact basic cybersecurity practices like keeping key systems up to date, enabling multifactor authentication, and reducing the exposure of internal networks to the internet.

According to the advisory, the Chinese espionage typically began with the hackers using open-source scanning tools like RouterSploit and RouterScan to survey the target networks and learn the makes, models, versions, and known vulnerabilities of the routers and networking devices. 

With that knowledge, the hackers were able to use old but unfixed vulnerabilities to access the network and, from there, break into the servers providing authentication and identification for targeted organizations. They stole usernames and passwords, reconfigured routers, and successfully exfiltrated the targeted network’s traffic and copied it to their own machines. With these tactics, they were able to spy on virtually everything going on inside the organizations. 

The hackers then turned around and deleted log files on every machine they touched in an attempt to destroy evidence of the attack. US officials didn’t explain how they ultimately found out about the hacks despite the attackers’ attempts to cover their tracks.

The Americans also omitted details on exactly which hacking groups they are accusing, as well as the evidence they have that indicates the Chinese government is responsible.

The advisory is yet another alarm the United States has raised about China. FBI deputy director Paul Abbate said in a recent speech that China “conducts more cyber intrusions than all other nations in the world combined.” When asked about this report, a spokesperson from the Chinese embassy in Washington DC denied that China engages in any hacking campaigns against other countries.

This story has been updated with comment from the Chinese embassy in Washington.