A sweeping international advisory issued in August 2025 casts a harsh spotlight on the escalating threat of Chinese cyber espionage. The document, endorsed by an alliance of intelligence agencies from the United States, the Five Eyes nations (Australia, Canada, the UK, and New Zealand), as well as Germany, Italy, Japan, and others, accuses three Chinese technology firms of actively supporting cyber operations on behalf of China’s government.
The advisory points to a persistent state-sponsored threat characterized by sophisticated espionage campaigns, systemic infiltration of global telecommunications infrastructure, and the exploitation of zero-click vulnerabilities on mobile devices. U.S. officials described these incidents as among the most damaging cyber intrusions in recent memory, prompting multi-pronged policy and infrastructure responses.
China-Linked Technology Firms Accused of Powering Cyber Espionage Campaigns
The core of the advisory lists three Chinese tech firms—Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology—as entities facilitating cyberattacks orchestrated by China’s Ministry of State Security (MSS) and the People’s Liberation Army (PLA).
Investigators tied these firms to Salt Typhoon, an advanced persistent threat (APT) group responsible for targeted exfiltration campaigns involving telecommunications data across more than 80 countries. Over 600 companies were affected, many of which operate critical infrastructure or house sensitive communications. Analysts say Salt Typhoon’s breaches involved long-term surveillance, data interception, and covert manipulation of routing protocols to siphon information undetected.
Despite Beijing’s forceful denial of involvement, U.S. intelligence officials describe Salt Typhoon’s intrusions as among the most significant cyber espionage incidents ever recorded.
Google’s Findings Show Real-Time Exploits via Edge Devices and Captive Portals
Concurrently, Google’s Threat Intelligence Group (GTIG) has warned of an active campaign led by UNC6384—a group suspected of ties to Silk Typhoon, a variant or offshoot of the Salt Typhoon collective. This campaign focuses on diplomats and global organizations, particularly across Southeast Asia.
The group employs a novel delivery vector through captive portal hijacking. By compromising edge devices such as wireless routers, VPN gateways, and firewalls, attackers redirect unsuspecting users connected to public Wi-Fi to malicious landing pages disguised as software update prompts. Victims are prompted to download malware mimicking legitimate Adobe plugins.
Payloads like CANONSTAGER and SOGU.SEC are installed via MSI packages, with the latter functioning as a backdoor to grant persistent remote access. The attack was initially detected in March 2025, prompting an immediate push alert system by Google to warn Gmail and Workspace clients.
This campaign underscores the agility of China-backed cyber actors, who are evolving attack surfaces beyond static endpoints to include dynamic and momentary vulnerabilities often overlooked by conventional defenses.
Smartphone Exploits Show Limits of Current Mobile Cybersecurity
In a separate but related warning, mobile device integrity has come under renewed scrutiny after cybersecurity firm iVerify found evidence suggesting non-interactive infiltration of smartphones belonging to politically sensitive individuals. U.S. authorities suspect that these attacks originate from Chinese intelligence services and may have targeted personnel involved in the 2024 Trump campaign.
Experts warn that mobile phones—due to their high user privileges, sensors, and constant connectivity—represent fertile ground for cyber exploitation. Attackers can gain unauthorized access to contacts, messages, and other personal data, often without the target ever realizing a breach has occurred.
These details lend weight to calls from national security professionals and technology leaders for enhanced security by design in mobile operating systems and applications. Without sweeping improvements, mobile systems risk becoming the weakest link in state-level cybersecurity posture.
U.S. Federal Communications Commission Moves to Secure Submarine Cable Infrastructure
On the infrastructure front, the Federal Communications Commission (FCC) has announced plans to restrict Chinese firms from building, operating, or supplying components for submarine communication cables that connect to America’s internet backbone. These underwater systems, which carry approximately 99% of global internet traffic, are now considered high-priority objectives in securing digital sovereignty.
Companies such as Huawei, HMN Tech, China Telecom, and China Unicom face potential bans under the new rule. The FCC has paired this move with a complementary fast-track system for licensing U.S. tech companies—like Microsoft, Amazon, and Google—who meet stringent security benchmarks.
The initiative aligns directly with the “America First Investment Policy” and broader strategies to decouple critical infrastructure from hostile foreign influence. Analysts believe this marks the beginning of a shift toward digital infrastructure nationalism.
Expanding the Response to State-Sponsored Cyber Threats
The Salt Typhoon campaign has already infiltrated at least nine U.S. telecommunications firms, providing unauthorized access to private messages and call records of numerous Americans. Targets appear to include both private citizens and government officials.
In response, national security officials have advised telecom providers on identifying Chinese cyber presence within their networks and implementing detection mechanisms for lateral movement and data exfiltration attempts. The federal government is also weighing mandatory minimum cybersecurity standards across the telecommunications industry.
“Cybersecurity is now a requirement for national security, and the U.S. must act accordingly to fortify defenses,” said Deputy National Security Advisor Anne Neuberger during a recent press briefing.
Key Takeaways for Security Leaders
The multi-front nature of these cyber espionage activities, from enterprise networks to underwater cables and personal devices, reveals the sophistication and ambition of state-sponsored actors linked to China. Critical actions for cybersecurity professionals include:
- Monitor edge devices, including Wi-Fi routers and VPN endpoints, for signs of hijacked captive portals or unauthorized redirects.
- Implement endpoint detection and response (EDR) solutions tailored for mobile platforms to mitigate zero-click exploits.
- Work with telecom and service providers to audit infrastructure for indicators of Salt Typhoon intrusion methodologies.
- Follow FCC developments closely if your organization utilizes submarine cable systems or related communication channels.
- Share threat intelligence in real time with peer organizations to stay ahead of rapidly developing state-sponsored toolkits.
While denials from China continue, the global cybersecurity consensus is shifting with renewed urgency. This wave of cyber espionage represents a pivot point in international relations and digital risk management alike.
