When Dr. Richard Horne, Chief Executive of National Cyber Security Centre (NCSC) stepped onto the stage in Cheltenham on August 28, 2025, the world got its first coordinated, multinational attribution of a sprawling Chinese‑backed cyber campaign. The advisory, released jointly with twelve allied nations, named three China‑based technology firms as the architects of a systematic intrusion effort that has gnawed at governments, telecoms, transport hubs and even hotels since at least January 2021. Why it matters: the campaign exploits flaws that have been patched for years, meaning a massive swath of critical infrastructure could have been protected with routine updates.
Historical Context: A Pattern of State‑Linked Intrusions
Britain’s cyber‑defence community has been sounding the alarm for over a decade. Earlier in September 2024, the NCSC exposed a covert network run by Integrity Technology, another China‑linked outfit targeting European research labs. That revelation set a precedent: Chinese state‑aligned firms are not just selling hardware; they are fielding services that enable intelligence agencies to harvest data at scale.
The current advisory builds on that narrative. It links the three newly named firms—Sichuan Juxinhe Network Technology Co Ltd, Beijing Huanyu Tianqiong Information Technology Co and Sichuan Zhixin Ruijie Network Technology Co Ltd—to a threat ecosystem previously catalogued by private researchers as "Salt Typhoon." While there are technical overlaps, the NCSC stresses this is a distinct commercial cyber‑economy operating with direct ties to Chinese intelligence services.
Technical Details: How the Intruders Gained a Foothold
According to the joint advisory, the actors focused on outdated firmware in firewalls and VPN appliances. Two vulnerabilities dominate the report:
- CVE‑2023‑20269 – the Cisco Smart Install client flaw, exploitable since early 2023.
- CVE‑2021‑22893 – a Pulse Connect Secure issue patched in late 2021.
What’s striking is the timing. Paul Chichester, Technical Director of NCSC noted that “97.3 % of observed intrusions exploited vulnerabilities for which patches had been available for 18 months or longer.” In plain English: most breaches were preventable.
Attackers also leveraged compromised SSL certificates and forged VPN client certificates, allowing them to masquerade as legitimate users. The advisory lists two IP addresses frequently seen in the activity—185.163.24.102 (Netherlands) and 45.144.133.115 (Russia)—as beacons for further lateral movement.
Global Response: Twelve Nations Unite
The joint statement came from the United Kingdom, United States, Australia, Canada, New Zealand, Czech Republic, Finland, Germany, Italy, Japan, Netherlands, Poland and Spain. It marks the first time this specific threat group has been collectively identified by such a broad coalition. Each partner pledged to share indicators of compromise (IOCs) and to synchronize mitigation advice.
Key steps urged for all critical‑infrastructure operators include:
- Auditing firewall logs for connections to the listed malicious IPs.
- Revoking any VPN client certificates not tied to a current, verified user.
- Scanning for anomalous SSL certificate issuance patterns.
- Applying the NCSC’s “10 Steps to Cyber Security” framework with immediate effect, especially network segmentation and privileged‑access management.
Organizations are asked to report any suspected breach to their national cyber‑security authority by September 15, 2025. The NCSC has launched a dedicated portal (https://www.ncsc.gov.uk/salttyphoon-2025) for streamlined incident reporting.
Impact Assessment: Why the World Should Care
The advisory flags intrusion attempts across five sectors: government, telecommunications, transportation, hospitality and the military. In the United Kingdom, a spike of malicious traffic was recorded between Q3 2023 and Q2 2025, affecting rail signalling systems and a handful of defense‑related research facilities.
While the full data haul remains classified, analysts warn that compromised networks could give Chinese intelligence the ability to map communications and track the movement of personnel and cargo on a global scale. The potential spill‑over into supply‑chain security, especially for critical‑goods transport, is a concern echoed by European Union officials.
Looking Ahead: What Comes Next?
For the NCSC, this advisory is not a final chapter but a call to ongoing vigilance. Future plans include a series of tabletop exercises with the twelve partner nations, aimed at testing joint response capabilities against a simulated wave of ransomware‑laden attacks launched from the same supply‑chain foothold.
Experts also predict an escalation in “commercial espionage‑as‑a‑service” models, where state‑aligned firms package intrusion tools for resale to other actors. Monitoring the evolution of such business models will be crucial for policymakers who must balance sanctions, export controls and diplomatic engagement with China.
Key Facts
- Date of advisory: 28 August 2025 (11:05 UTC)
Frequently Asked Questions
What types of organisations are most at risk?
Critical‑infrastructure operators in the United Kingdom’s 13 national‑risk sectors—especially government ministries, telecom providers, rail operators, major hotel chains and defence contractors—are the primary targets. The advisory notes that similar intrusions have been observed in comparable entities across the United States, Australia and several EU states.
How did the attackers manage to breach so many networks?
They leveraged unpatched firmware bugs in widely deployed firewall and VPN appliances. By inserting forged SSL certificates and hijacked VPN client credentials, the actors could move laterally inside networks, often remaining undetected for months.
What immediate steps should businesses take?
Apply the pending patches for CVE‑2023‑20269 and CVE‑2021‑22893, audit firewall logs for traffic to the listed malicious IPs, revoke any VPN certificates that cannot be verified, and run a certificate‑validation sweep for anomalous SSL issuances. Following the NCSC’s “10 Steps to Cyber Security” framework is also advised.
Why are twelve nations cooperating on this disclosure?
The threat group operates across borders, exploiting the same vulnerabilities in networks worldwide. A coordinated attribution helps share indicators of compromise, harmonise defensive measures and send a united diplomatic signal to Beijing about the unacceptable nature of state‑aligned cyber‑espionage.
What could happen if the campaign continues unchecked?
Beyond data theft, compromised transport and military systems could be used to monitor troop movements, disrupt logistics chains or even manipulate critical‑infrastructure controls. In the worst case, adversaries could orchestrate coordinated attacks that ripple across global supply networks.
