A sophisticated China-nexus hacking group, tracked by Cisco Talos as UAT-7290, has been breaching telecommunications providers by exploiting vulnerabilities in edge network devices—routers and similar perimeter gear exposed to the internet. These attacks were confirmed in a new Cisco Talos report published.

• The attackers perform deep reconnaissance on targets, then use a mix of one-day exploits (recently disclosed but already fixable flaws) and SSH brute-force attacks to take over internet-facing edge devices.
• Once inside, they deploy Linux-based malware such as RushDrop, DriveSwitch, and SilentRaid to maintain and escalate access.
• They also set up Operational Relay Boxes (ORBs)—infrastructure that can relay access to other China-aligned threat actors for further exploitation.

Broader Context of Chinese State-Linked Cyber Espionage

This activity fits within a long-running global espionage campaign by China-linked threat actors:

• A group widely referred to as Salt Typhoon has been targeting global telecom providers, infrastructure, government, and critical sectors by exploiting known router and network gear vulnerabilities.
• International cybersecurity agencies (from the U.S., Canada, Europe, Japan, and others) issued joint warnings about these campaigns, highlighting persistent access and data siphoning from compromised network equipment.
• Previous incidents linked to China-linked actors show more widespread and long-term compromises involving major telcos and critical infrastructure operators across multiple regions.

Why edge network devices matter

Edge devices—such as provider and customer edge routers—are critical because they:

• Sit at the boundary between internal networks and the wider internet, making them powerful entry points when compromised.
• Often run software with poor visibility and monitoring, allowing attackers to stay hidden for long periods.
• Support advanced persistence techniques like manipulating routing, opening covert tunnels, and acting as stepping stones deeper into corporate or national networks.

Implications

Espionage and surveillance:
Cybersecurity authorities warn these breaches may enable long-term monitoring of communications and movement, not just transient theft of data.

Wider targeting:
Although these campaigns have heavily hit telecommunications companies, other sectors—including government, transportation, and lodging—have also been affected or probed.

Persistent threat:
Attackers tend to maintain access for extended periods, often evading detection for months.