The Federal Bureau of Investigation (FBI) released this FBI Liaison Alert System (FLASH) to disseminate indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with 5Socks and Anyproxy cyber criminal services’ targeting malware that affects end-of-life (EOL) routers.
Threat actors exploit known vulnerabilities to compromise EOL routers, install malware, and use the routers in a botnet they control to launch coordinated attacks or sell access to the devices as proxy services. The FBI recommends users replace compromised devices with newer models or prevent infection by disabling remote administration and rebooting the router.
This FBI FLASH provides technical details, IOCs, recommended mitigations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.
Since 2019, GuLoader has been active as a downloader, spreading through spam campaigns with malicious attachments. To evade detection, it downloads encrypted payloads typically from genuine file-sharing websites, such as Google Drive or Microsoft OneDrive. Once installed, the malware attempts to establish persistence by modifying system settings, creating registry entries, and adding itself to startup items.
Since the beginning of 2025, the NJCCIC’s email security solution has observed multiple GuLoader campaigns alternately delivering Snake Keylogger and Remcos remote access tool (RAT) to gain remote access, exfiltrate data, and deploy ransomware. The latest wave of GuLoader campaigns delivers Remcos RAT. It incorporates various themes such as new orders, quotations, purchase orders, invoices, product inquiries, scheduled shipments, packages out for delivery, and updated statements of accounts. These messages contain attached SCR, RAR, ZIP, or ARJ compressed executables that leverage GuLoader to download and install Remcos RAT. Once installed, Remcos RAT logs keystrokes online and offline, captures video and pictures via camera and microphone, and more.
Recommendations
Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.Exercise caution with communications from known senders.Confirm requests from senders via contact information obtained from verified and official sources.Navigate to official websites by typing official website URLs into browsers manually and only submit account credentials and sensitive information on official websites.Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.Keep systems up to date and apply patches after appropriate testing.Run updated and reputable anti-virus or anti-malware programs.Report malicious cyber activity to the FBI’s IC3 and the NJCCIC.
The NJCCIC observed an uptick in employment scams that target and exploit individuals seeking employment. Threat actors first perform reconnaissance on their targets, gathering information from various sources, such as past data breaches, publicly disclosed data, social media profiles, and data purchased on the dark web. They communicate with their targets via emails, text messages, WhatsApp, or Telegram to initiate conversations about purported job opportunities created from legitimate job postings. They may also create and post fraudulent job postings or profiles through trusted professional online employment boards and websites, such as LinkedIn, CareerBuilder, Indeed, and Monster, or via social media platforms like Facebook. They typically impersonate legitimate employers and recruiters and spoof legitimate domains. The threat actors express interest in the target’s compatibility for a vacant position and attempt to ascertain the target’s willingness to explore the opportunity further.
The NJCCIC’s email security solution detected an employment scam in which threat actors use the legitimate Xero platform to create a trial organization to quickly send large amounts of spam emails before they are detected and shut down. In the above campaign, the threat actors impersonate Coca-Cola and incorporate their branding. The email contains a link with the Coca-Cola name in the URL, but it does not direct to Coca-Cola’s official website. Instead, it directs the target to a malicious website that prompts them to update their browser. If clicked and installed, sensitive information and devices may be at risk.
Threat actors also impersonate legitimate employers and recruiters through multiple random text messages in the hope that their target is an interested job seeker. In the above campaign, the text message outlines the position’s benefits, including remote work, flexible hours, and a potential average daily pay ranging from $300 to $900 or more. To avoid detection, they often request to continue the conversation on a chat platform like WhatsApp or Telegram. Legitimate employers do not typically request that applicants communicate or send information through instant messaging platforms.
The NJCCIC also received multiple reports of threat actors creating fake profiles on LinkedIn, impersonating employers and recruiters, and sending direct messages to potential victims regarding fraudulent job postings. The emails request interested targets to provide their email addresses and resumes. If there is no response, the threat actors sometimes attempt to contact their targets via email and phone.
Once contact with a target in these employment scams is established, the threat actors often request information as part of the application process or job offer. They intend to steal personally identifiable information (PII) or monetary funds, potentially committing identity theft and launching other cyberattacks. They may conduct fake online interviews to inquire about work experience, salary expectations, and other typical employment concerns. Threat actors may ask for personal information or request their target to pay processing or application fees, training, or background checks. They may also send fraudulent invoices for equipment, with instructions to pay using cash, Zelle, or PayPal and a promise of reimbursement. In some instances, they also partake in fraudulent check scams via mail to cover all or a portion of the job-related fees or expenses. Until the fraudulent check supposedly clears, threat actors pressure their targets to start the job immediately and insist they front the money, resulting in monetary losses.
Key suspicious indicators of employment scams include vagueness from the purported employer or recruiter about the position, the job sounding “too good to be true,” and upfront requests for personal and financial information, such as a Social Security number, a driver’s license number, or banking information for direct deposits. Threat actors may also create urgency to respond or accept a job offer. Using unofficial communication methods, including personal email accounts, non-company email domains, teleconferencing applications, and apps like WhatsApp, Telegram, Signal, or Wire, are also red flags.
Besides targeting job seekers, threat actors also target corporate human resources departments and recruiters to steal account credentials and funds. They abuse legitimate message services and job platforms to apply for real jobs. Researchers discovered the financially motivated Venom Spider threat group sending spearphishing emails to the hiring manager or recruiter. These emails contain links directing them to download the purported resume from an external website. The threat actors insert a CAPTCHA box to create legitimacy and bypass security controls. They then drop a backdoor called More_eggs and use server polymorphism to deliver the payloads and evade detection and analysis.
Recommendations
Refrain from clicking links and opening attachments from unknown senders, and exercise caution with communications from known senders.Examine potential offers by contacting the company’s human resources department directly via official contact information and researching potential employers online to determine if others have reported a scam.Navigate to websites directly for authentic job postings by manually typing the URL into a browser instead of clicking on links delivered in communications to ensure the visited websites are legitimate.Refrain from contacting or clicking on unknown telephone numbers found in unsolicited messages or pop-up notifications.Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds.Review additional information on job scams on the FTC’s website.Report malicious cyber activity to the FTC, the FBI’s IC3, and the NJCCIC.If victimized, report the scam directly to the respective employer or employment listing service.If PII compromise is suspected or detected, contact your local law enforcement department and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources.
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
Visual Studio Code
Windows Kernel
.NET, Visual Studio, and Build Tools for Visual Studio
Remote Desktop Gateway Service
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Windows Secure Kernel Mode
Windows Hardware Lab Kit
Azure DevOps
Microsoft Edge (Chromium-based)
Microsoft Dataverse
Azure Automation
Windows Trusted Runtime Interface Driver
Windows Routing and Remote Access Service (RRAS)
Windows Virtual Machine Bus
Windows Installer
Windows Drivers
Windows File Server
Windows Media
Universal Print Management Service
UrlMon
Windows LDAP – Lightweight Directory Access Protocol
Role: Windows Hyper-V
Windows SMB
Windows Deployment Services
Windows Remote Desktop
Active Directory Certificate Services (AD CS)
Windows Fundamentals
Microsoft Brokering File System
Web Threat Defense (WTD.sys)
Azure Storage Resource Provider
Azure File Sync
Microsoft PC Manager
Microsoft Office SharePoint
Microsoft Office Excel
Microsoft Office PowerPoint
Microsoft Office
Windows Common Log File System Driver
Azure
Windows Win32K – GRFX
Microsoft Scripting Engine
Windows DWM
Visual Studio
Microsoft Office Outlook
Windows NTFS
Windows Ancillary Function Driver for WinSock
Microsoft Power Apps
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.
A full list of all vulnerabilities can be found in the Microsoft link in the References section.
Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Apply the Principle of Least Privilege to all systems and services and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.
Multiple vulnerabilities have been discovered in Fortinet Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, threat actors could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat IntelligenceFortinet has observed exploitation of CVE-2025-32756 in the wild on FortiVoice.
Systems Affected
FortiADC 7.2.0 through 7.2.6 FortiADC 7.4.0 through 7.4.4 FortiADC 7.6.1 FortiADCManager 7.6.0 FortiAIOps 2.0.0 through 2.0.1 FortiAnalyzer 6.2.0 through 6.2.11 FortiAnalyzer 6.4.0 through 6.4.14 FortiAnalyzer 6.4.14 through 6.4.15 FortiAnalyzer 7.0.0 through 7.0.13 FortiAnalyzer 7.2.0 through 7.2.10 FortiAnalyzer 7.4.0 through 7.4.3 FortiAnalyzer 7.4.2 FortiAnalyzer 7.4.3 through 7.4.6 FortiAnalyzer 7.6.0 through 7.6.2 FortiAnalyzer-BigData 6.2 all versions FortiAnalyzer-BigData 6.4 all versions FortiAnalyzer-BigData 7.0 all versions FortiAnalyzer-BigData 7.2 7.2.0 through 7.2.5 FortiAnalyzer-BigData 7.4 7.4.0 FortiAuthenticator 6.6.0 through 6.6.1 FortiCamera 1.1 all versions FortiCamera 2.0 all versions FortiCamera 2.1.0 through 2.1.3 FortiClientEMS 7.4.0 through 7.4.1 FortiClientEMS Cloud 7.4 7.4.0 through 7.4.1 FortiClientMac 7.0 all versions FortiClientMac 7.2.0 through 7.2.8 FortiClientMac 7.4.0 through 7.4.2 FortiClientWindows 7.2.0 through 7.2.1 FortiDDoS 5.7.0 through 5.7.3 FortiDDoS-F 7.0 7.0.0 through 7.0.1 FortiDDoS-F 7.0 7.0.1 through 7.0.4 FortiDeceptor 5.2.0 FortiDeceptor 5.3.0 through 5.3.1 FortiEDR Manager 5.0 all versions FortiEDR Manager 5.1 all versions FortiEDR Manager 5.2 all versions FortiEDR Manager 6.0 all versions FortiEDR Manager 6.2 6.2.0 through 6.2.4 FortiExtender 7.0.0 through 7.0.5 FortiExtender 7.2.0 through 7.2.5 FortiExtender 7.4.0 through 7.4.5 FortiGuest 1.0 all versions FortiGuest 1.1 all versions FortiGuest 1.2.0 through 1.2.1 FortiGuest 1.3.0 FortiMail 6.2 all versions FortiMail 6.4 all versions FortiMail 7.0.0 through 7.0.8 FortiMail 7.2.0 through 7.2.7 FortiMail 7.4.0 through 7.4.4 FortiMail 7.6.0 through 7.6.2 FortiManager 6.2.0 through 6.2.11 FortiManager 6.4.0 through 6.4.15 FortiManager 7.0.0 through 7.0.13 FortiManager 7.2.0 through 7.2.10 FortiManager 7.4.0 through 7.4.6 FortiManager 7.6.0 through 7.6.2 FortiManager Cloud 6.4 all versions FortiManager Cloud 7.0 7.0.1 through 7.0.8 FortiManager Cloud 7.0 7.0.10 FortiManager Cloud 7.0 7.0.12 FortiManager Cloud 7.2 7.2.1 through 7.2.4 FortiNAC-F 7.2 7.2.0 through 7.2.6 FortiNAC-F 7.4 7.4.0 FortiNDR 1.1 all versions FortiNDR 1.2 all versions FortiNDR 1.3 all versions FortiNDR 1.4 all versions FortiNDR 1.5 all versions FortiNDR 7.0.0 through 7.0.6 FortiNDR 7.1 all versions FortiNDR 7.2.0 through 7.2.4 FortiNDR 7.4.0 through 7.4.7 FortiNDR 7.6.0 FortiOS 6.4 all versions FortiOS 7.0.0 through 7.0.14 FortiOS 7.2.0 through 7.2.7 FortiOS 7.4.0 through 7.4.3 FortiOS 7.4.4 through 7.4.6 FortiOS 7.6.0 FortiPortal 7.0.0 through 7.0.9 FortiPortal 7.2.0 through 7.2.5 FortiPortal 7.4.0 FortiProxy 7.6.0 through 7.6.1 FortiRecorder 6.0 all versions FortiRecorder 6.4 all versions FortiRecorder 7.0.0 through 7.0.5 FortiRecorder 7.2.0 through 7.2.3 FortiSandbox 3.2 all versions FortiSandbox 4.0.0 through 4.0.5 FortiSandbox 4.2.0 through 4.2.7 FortiSandbox 4.4.0 through 4.4.6 FortiSIEM 5.3 all versions FortiSIEM 5.4 all versions FortiSIEM 6.1 all versions FortiSIEM 6.2 all versions FortiSIEM 6.3 all versions FortiSIEM 6.4 all versions FortiSIEM 6.5 all versions FortiSIEM 6.6 all versions FortiSIEM 6.7 all versions FortiSIEM 7.0 all versions FortiSOAR 6.4 all versions FortiSOAR 7.0 all versions FortiSOAR 7.2 all versions FortiSOAR 7.3 all versions FortiSOAR 7.4.0 through 7.4.2 FortiSwitch 7.2.0 through 7.2.8 FortiSwitch 7.4.0 through 7.4.3 FortiSwitchManager 7.2.5 FortiVoice 6.0.0 through 6.0.12 FortiVoice 6.4.0 through 6.4.10 FortiVoice 7.0.0 through 7.0.6 FortiVoice 7.2.0 FortiVoiceUCDesktop 3.0 all versions FortiWeb 6.2 all versions FortiWeb 6.3 all versions FortiWeb 6.4 all versions FortiWeb 7.0.0 through 7.0.10 FortiWeb 7.2.0 through 7.2.9 FortiWeb 7.4.0 through 7.4.4 FortiWeb 7.6.0 FortiWLC 8.6.0 through 8.6.7
Risk Government: – Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High – Small business entities: Medium
Home Users: Low
Recommendations
Apply appropriate updates provided by Fortinet to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
Multiple vulnerabilities have been discovered in Ivanti Endpoint Manager Mobile, the most severe of which could allow for remote code execution. Ivanti Endpoint Manager Mobile (EPMM) is a unified endpoint management solution that enables organizations to securely manage and monitor mobile devices, applications, and content across multiple platforms from a centralized interface. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.
THREAT INTELLEGENCE: There are a limited number of customers whose solution has been exploited at the time of disclosure.
SYSTEMS AFFECTED:
Ivanti Endpoint Manager Mobile 11.12.0.4 and prior
Ivanti Endpoint Manager Mobile 12.3.0.1 and prior
Ivanti Endpoint Manager Mobile 12.4.0.1 and prior
Ivanti Endpoint Manager Mobile 12.5.0.0 and prior
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: Multiple vulnerabilities have been discovered in Ivanti Endpoint Manager Mobile, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:
A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system. (CVE-2025-4428)
Details of lower severity vulnerabilities:
An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials. Exploitation of this vulnerability can lead to exploitation of CVE-2025-4428 (CVE-2025-4427)
Successful exploitation of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.
RECOMMENDATIONS:
We recommend the following actions be taken:
Apply appropriate updates provided by Ivanti to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5:Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
A vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLEGENCE: There are currently no reports of this vulnerability being exploited in the wild.
SYSTEMS AFFECTED:
Chrome prior to 136.0.7103.113/.114 for Windows and Mac
Chrome prior to 136.0.7103.113 for Linux
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY:
A vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution. Details of the vulnerability are as follows:
Insufficient policy enforcement in Loader. (CVE-2025-4664)
Incorrect handle provided in unspecified circumstances in Mojo. (CVE-2025-4609)
Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
This Joint Cybersecurity Advisory highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This campaign includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine.
Since 2022, Western logistics entities and technology companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names. The threat actors’ cyber espionage-oriented campaign, targeting logistics entities and technology companies, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This joint advisory provides target description, initial access TTPs, IOCs, mitigation techniques, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this Joint Cybersecurity Advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware.
LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple US critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.
This joint advisory technical details, IOCs, TTPs, mitigation recommendations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.
The FBI and CISA encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.
To view and download a PDF of this report, click here.
I. Executive Summary
China is engaging in sustained cyber operations targeting US critical infrastructure to lay the foundation for future disruption of key lifeline services. Advanced persistent threat (APT) groups like Volt Typhoon, APT41, and Salt Typhoon are spearheading this activity and have demonstrated sophisticated capabilities to access and persist within critical systems, particularly across the communications, energy, water and wastewater, and transportation sectors. They conduct stealthy, long-term intrusions by leveraging legitimate account credentials, edge devices, and remote access tools to maintain persistence in targeted environments. Intelligence indicates that these and other Chinese state-sponsored threat actors are preparing to launch destructive cyberattacks during a conflict between the United States and China.
A recent US House Committee on Homeland Security hearing in March reinforced the threats associated with this activity. Bill Evanina, founder and CEO of the Evanina Group and former Director of the US National Counterintelligence and Security Center, testified: “Cyber breaches, insider threats, surveillance, and penetrations into our critical infrastructure have all been widely reported. Adding in [their] crippling stranglehold on so many aspects of our supply chain, and the result is a montage of domestic vulnerability of unacceptable proportions.”
The intrusions extend beyond intelligence gathering and intellectual property theft activities. Instead, these campaigns are tailored to surveil, infiltrate, and ultimately control the systems and networks they penetrate. China is likely to prioritize targeting critical infrastructure in the US to delay or inhibit the mobilization of military forces. The attacks could lead to widespread service disruptions, including the collapse of communications networks, power grid failures and blackouts, water shortages, and restricted transportation.
Recognition that Chinese state-sponsored actors have already gained footholds in key sectors of US infrastructure is growing, as public officials and private-sector leadership have raised concerns regarding this activity for several years. However, continued advancements in technology are expanding the attack surface. “Penetrating our networks, pre-positioning technological choke points, and profiting from those dependencies poses a direct challenge to US homeland security,” Evanina further warned.
The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) assesses that the frequency and severity of these cyber operations will continue to increase as tensions in the Indo-Pacific region escalate and China seeks to undermine US resilience from within. This report outlines the tactics, actors, and implications of China-linked cyber activity across four key sectors. It also provides strategic insight and operational guidance to counter the growing threat of pre-positioned, state-backed sabotage within America’s most vital systems.
II. Geopolitical and Strategic Context: US-China Tensions and the Cyber War for Influence
Central to the intensifying cyber threat landscape between the United States and China are the broader geopolitical tensions that have emerged over the last two decades, and competing strategic interests have culminated in a dynamic where the cyber realm is increasingly viewed as a primary domain for conflict. Among the main sources of friction are territorial disputes in the South China Sea. China has expanded its military footprint by building artificial islands and asserting broad maritime claims that most of the international community considers illegal. At the same time, the trade war between the US and China has escalated in recent weeks, with competing tariffs and trade restrictions at the forefront of the Trump administration’s economic strategy. Finally, and most importantly, the US continues to extend firm policy support to Taiwan, which China views as a violation of the “One China” principle.
Taiwan has long been considered a likely flashpoint for a future conflict between China and the United States. For the US, the island is essential to regional defense, forming part of the first island chain that anchors American alliances with Japan, South Korea, and the Philippines. To China, it represents a national reunification goal linked to the Communist Party’s legitimacy. However, its economic prospects should not be ignored.
Taiwan is a critical node in the global semiconductor industry. It is home to the Taiwan Semiconductor Manufacturing Company (TSMC), which produces over 55% of the world’s chips and nearly all advanced processors. Furthermore, approximately one-third of the annual global computing power originates from the island. The global chip industry and the assembly of all the electronic goods they enable depend almost entirely upon the Taiwan Strait. The island is, therefore, critical to determining the power strongholds of the future global economy.
If China were to gain control of this industry, it could also gain leverage over the global technology supply chain, paving the way for regional hegemony. China’s power and influence would extend further into the Indo-Pacific, and this geopolitical shift would threaten US influence and security.
This context is essential when evaluating the scope of China’s threat. Recent cyberattacks indicate a long-term campaign to reshape global power structures and destabilize adversaries like the United States. China’s cyber posture is not strictly defensive or opportunistic. It is strategic, viewing disruption to critical infrastructure as a path to victory while avoiding direct military confrontation.
III. Risk Assessment and Analysis
The NJCCIC has assessed that China-linked cyber threats pose a sustained risk to US infrastructure, particularly within the lifeline sectors that form the foundation of national continuity and resilience. The communications, energy, water and wastewater, and transportation sectors face a high likelihood of targeting and a high potential impact if successfully compromised, placing them in the “Critical” risk tier. These domains form the cornerstones of everyday life and are integral to military readiness, emergency response, and civil, political, and economic stability.
In addition, the Financial Services and Government Services sectors face a medium likelihood of targeting and a high potential impact, placing them in the “High” risk tier. Successful cyberattacks against these domains could significantly disrupt economic stability and shake public confidence.
Chinese state-sponsored cyber operations are expected to increase with escalating geopolitical tensions. The NJCCIC anticipates that these threats will continue to evolve in scale and sophistication. Critical infrastructure organizations should view this threat activity as a persistent risk.
A. Risk Matrix
This matrix reflects the NJCCIC’s current strategic risk assessment, which is based on ongoing intelligence collection, observed threat actor behavior, and known vulnerabilities across these sectors. It is intended to guide risk prioritization and resource allocation for defensive measures across public and private sector partners.
B. Communications Sector
1. Overview
The communications sector is fundamental to society. It enables information delivery and communication and serves as a key intelligence resource. Chinese state-sponsored APT groups have consistently targeted this sector as part of their campaign to disrupt US critical infrastructure. The communications domain comprises public and private telecommunications infrastructure, including internet service providers (ISPs), mobile networks, satellite communications systems, undersea cable networks, and cloud systems. Cyber operations in this space are, therefore, highly strategic. Attacks typically combine advanced technical expertise with a long-term emphasis on maintaining persistence, and recent China-linked cyber activity reveals a focused effort to compromise the communications sector.
2. Tactics, Techniques, and Procedures
Communications service providers operate a broad attack surface that includes data centers, network appliances, customer portals, and more. Some providers use public-facing systems, which threat actors can regularly scan to identify a point of access. Various tactics are used when launching attacks, and in many cases, unpatched devices or valid account credentials serve as the initial entry point. Known vulnerabilities in edge devices and remote access systems, such as Fortinet FortiOS, Microsoft Exchange, and Citrix Gateway, are commonly exploited; however, threat actors may also use passwords compromised in previous attacks.
Once inside a network, the threat actors rely on living-off-the-land (LoTL) techniques to extract sensitive data and establish and maintain footholds that can be leveraged later. They have been observed abusing legitimate administrative tools to move laterally, conduct reconnaissance, and avoid detection while blending into regular activity. This approach minimizes their footprint and reduces the likelihood of detection by traditional security tools.
Credential and data theft are key elements of their post-compromise activity. Threat actors extract credentials from memory using tools like Mimikatz or subtle techniques such as keylogging and token theft. With these legitimate credentials, attackers can move laterally across administrative domains and impersonate network engineers or administrators, providing them with access to conduct surveillance and harvest sensitive data, or even shut down networks.
3. Recent and Notable Activity
Cyber activity against the communications sector has increased significantly over the last few years, with most campaigns conducted by APT groups. These groups are actively engaged in infiltration and intelligence-gathering efforts to gain persistent access to infrastructure that could be disrupted or disabled during a future conflict. Volt Typhoon and Salt Typhoon are two notable threat actors targeting this industry. Both groups use valid compromised account credentials and exploit vulnerabilities to gain initial access, then leverage “living-off-the-land” techniques to evade detection while performing strategic reconnaissance and pre-positioning activities. These and other APT groups may utilize sophisticated cyber techniques to degrade or destroy communications capabilities.
In 2023, Volt Typhoon compromised telecom systems in Guam, gaining access through unpatched edge devices and stealthily maintaining persistence to conduct reconnaissance. In early 2024, Salt Typhoon exploited vulnerabilities in telecom infrastructure to proxy malicious traffic, obscure operational command-and-control (C2), and stage within major US telecom providers. These intrusions highlight the shift toward strategic pre-positioning and active misuse of communications infrastructure to support broader campaigns.
4. Implications and Impact
A large-scale cyberattack against the US communications sector would have an immediate impact, with cascading effects that could destabilize other critical lifeline sectors. Communications infrastructure enables the real-time information flow across government, military, commercial, and civilian domains. Service disruptions would significantly affect nearly every aspect of daily activity in the United States.
At the operational level, an attack could disable mobile networks, satellite communications, ISPs, or undersea cable infrastructure. Interruptions in service would compromise everything from 911 emergency call routing and air traffic communications to financial transactions and remote work capabilities. Millions of people would lose access to vital information. Furthermore, coordination efforts with other sectors would break down, response efforts would stall, and recovery timelines would lengthen.
The United States military would also face challenges due to their impaired situational awareness. American forces would be incapable of mobilizing quickly or coordinating with allies, particularly with NATO partners and the Five Eyes alliance. Intelligence sharing and secure communication would be greatly reduced. As a result, the US national defense posture would begin to deteriorate.
Economically, the consequences could be devastating. The communications sector supports core operations for nearly every major industry. A disruption could bring down financial markets, shut down banking systems, interfere with logistics platforms, and halt cloud-based services. Losses from even a short-term outage would be substantial, and the reputational damage to service providers could linger far longer.
The impact could be severe for civilians as well, isolating communities across the country. Key services that rely on real-time communication, including ambulance dispatch, fire and rescue, and public alert systems, may be cut off immediately. Logistical networks for food distribution, fuel supply, and commercial transport could also be disrupted. During an extended outage, public panic and misinformation would likely surge without reliable communication channels.
5. Risk Assessment
The NJCCIC has assessed the communications sector as a critical risk due to its broad exposure to foreign cyber threats and essential role in supporting national security, emergency response, and daily public and private-sector operations. Both the likelihood and potential impact of a successful cyberattack are considered high. This assessment is based on persistent adversary access across the sector, including long-term footholds established by Chinese state-sponsored threat actors. Ongoing exploitation of technical vulnerabilities, particularly in edge devices, remote access infrastructure, and legacy telecom equipment, combined with inconsistent cybersecurity practices and insufficient network segmentation, increases the probability of disruption. A compromise could have cascading ramifications due to the sector’s function as the connection between other critical infrastructure domains.
C. Energy Sector
1. Overview
The energy sector is critical for preserving the well-being of communities across the United States, providing electricity, oil, natural gas, and renewable energy. Chinese state-sponsored APT groups have long viewed this sector as a priority target due to its strategic value. The energy domain is deeply integrated with other critical infrastructure and encompasses power generation facilities, electrical grids, oil and gas pipelines, emergency management systems, and fuel logistics. China-linked cyber campaigns against this sector are calculated and prioritize long-term system access. Threat actors have repeatedly demonstrated interest in compromising environments that govern the flow of electricity and fuel, likely intending to disrupt key functions during a geopolitical crisis.
2. Tactics, Techniques, and Procedures
The energy sector functions across a complex infrastructure and operates a wide range of connected technologies. This technology includes legacy systems, industrial control systems (ICS), public-facing supervisory control and data acquisition (SCADA) interfaces, and more. Threat actors routinely scan the web to identify misconfigured or outdated assets that offer an initial entry point. They employ various tactics when launching their attacks, and in many cases, unpatched devices or valid account credentials serve as the initial entry point. Vulnerabilities in common systems like Fortinet, SonicWall, and Citrix frequently serve as points of access. Compromised passwords also provide an avenue in.
Threat activity in the energy domain is not limited to utility companies. This sector relies on contracted service providers for everything from system maintenance to regulatory compliance, and APT groups have increasingly targeted third-party partners. These vendors are often provided with administrative credentials or VPN access into core network environments, which threat actors can leverage to bypass perimeter defenses.
After gaining system access, the threat actors employ LoTL tactics to conduct their activities. They rely on native tools to move laterally and establish persistence while blending in with regular administrative activity and network traffic. These techniques enable them to extract sensitive data and conduct reconnaissance without triggering antivirus or endpoint detection software.
Credential theft plays a key role in these intrusions. Threat actors often use tools like Mimikatz to extract passwords and authentication tokens directly from system memory, which can be used to impersonate administrators, escalate privileges, and access systems that manage grid operations and fuel logistics. In many environments, this access enables lateral movement from IT networks into OT domains, where outdated control systems, often lacking modern cybersecurity controls, can be manipulated to disrupt energy delivery.
Threat actors may also deploy malware that is difficult to detect and capable of surviving reboots or patching. Backdoors like ShadowPad or even custom variants embedded in software updates allow them to quietly maintain access while communicating over ports and mimicking expected traffic patterns.
3. Recent and Notable Activity
Cyber operations against the US energy sector have steadily increased in scope and sophistication, with APT groups demonstrating a clear intent to compromise critical infrastructure supporting electric power, fuel distribution, and grid operations. APT41 and Volt Typhoon are among the groups most frequently associated with targeting energy systems. They often begin by exploiting vulnerabilities in ICS/SCADA environments and vendor-managed access points and escalate access through credential theft and privilege abuse. Once inside, they deploy stealthy persistence mechanisms and leverage native tooling to move laterally into industrial control environments. These tactics enable adversaries to pre-position within systems essential to energy reliability and potentially degrade or disable them during a crisis.
In 2021, the Colonial Pipeline ransomware attack, while criminal in nature, exposed systemic weaknesses in fuel distribution resilience. More recently, Volt Typhoon has been observed conducting reconnaissance and pre-positioning within energy infrastructure, including electric utilities and fuel logistics systems, using compromised credentials and stealthy remote access techniques.
4. Implications and Impact
A widespread cyberattack targeting the US energy sector would immediately threaten national security, economic stability, and civilian welfare, and the effects would ripple quickly. This sector is interwoven with every other critical infrastructure domain and supports virtually all aspects of modern life, from powering hospitals and water treatment plants to enabling military activity and digital communication. Any disruption to its operations would have severe consequences.
The most direct implication would be the loss of electric power that halts industrial activity and public services. These outages would upend daily life for millions of Americans. Water treatment facilities would be unable to operate, hospitals would have to rely on backup generators to provide care, and financial systems would risk downtime or data corruption. Natural gas pipelines or oil distribution networks could also be impacted. Fuel would be in short supply, limiting transportation and supply chains.
The US military would also be impeded. An extensive cyberattack could disrupt power supplies to military bases that rely on stable energy resources for operations, communication, and defense systems. In a national emergency, even short-term outages could delay response times. Even if military sites remain operational, adversaries may exploit interdependencies, like private sector energy suppliers supporting defense contractors, to create pressure points.
The economic impact of a cyberattack on the energy sector would be substantial. Fuel shortages would interrupt supply chains, driving up energy prices and stalling activity across multiple industries. Market volatility could increase dramatically as production output drops. Industrial regions that rely heavily on the energy sector would be hit especially hard. Local economies would tip downward, contributing to wider national economic strain.
A successful compromise would also affect the well-being of civilians. Hospitals, water treatment utilities, and communication systems could shut down, and manufacturing plants, transportation systems, and supply chain networks would grind to a halt. Regional blackouts would generate panic and undermine confidence in government response. At the same time, prolonged outages or fuel shortages could be life-threatening, leading to civil unrest.
5. Risk Assessment
The NJCCIC has assessed the Energy sector as a critical risk due to its high exposure to state-sponsored cyber threats and its foundational role in powering essential services across all critical infrastructure domains. Both the likelihood and potential impact of a successful cyberattack are considered high. This determination is based on persistent adversary access within ICS and SCADA environments, particularly through long-term intrusions by Chinese APT groups seeking to establish pre-positioned footholds. The expansion of smart grid infrastructure and distributed energy systems have introduced new access points, increasing the attack surface across the sector. Unpatched systems, poor network segmentation between it and OT environments, and weak cybersecurity practices further compound these risks.
D. Water and Wastewater
1. Overview
The Water and Wastewater sector ensures the availability of safe drinking water and wastewater treatment to protect communities and the environment. This sector also supports other critical infrastructure, including healthcare, agriculture, and energy. Chinese state-sponsored APT groups have shown a growing interest in targeting US water facilities, leveraging many of the same techniques used in campaigns against other industries but with adaptations specific to the water and wastewater domain. This infrastructure includes municipal water utilities, wastewater treatment plants, and regional distribution networks; many facilities rely on ICS and SCADA technologies. Increased intrusions in the water and wastewater sector highlight a broader strategy to gain persistent access to systems that would be strategically significant during a geopolitical conflict.
2. Tactics, Techniques, and Procedures
The water sector is particularly vulnerable to cyber threats. Many facilities, especially smaller utilities, rely on outdated technology. This is largely due to limited funding and technical staff. Poor patch management and misconfigured controls can exacerbate the problem, exposing critical systems on the web. Access typically begins with threat actors identifying vulnerable systems and leveraging known exploits to gain entry.
Third-party vendors are another common point of access. Water utilities often outsource services for IT support, SCADA system integration, remote monitoring, and more. These vendors are usually provided with privileged access to the control environments they service. By compromising a trusted partner, threat actors may be able to bypass system defenses and even gain administrative access to sensitive utility networks.
Threat actors utilize LoTL techniques once inside, leveraging legitimate credentials and native tooling to avoid triggering conventional alerts. They have been observed conducting internal reconnaissance to identify lateral movement paths across interconnected assets, including unmanaged OT endpoints and exposed admin shares. In cases where centralized logging was absent or poorly configured, they maintained persistence for extended periods without detection.
Credential theft is a core component of these operations. Threat actors may use tools such as Mimikatz to extract administrator and service account credentials from memory, which are then used to access additional systems or devices, including those that manage chemical dosing, pressure systems, or water flow rates. Critically, the IT and OT networks in water utilities are usually poorly segmented. This allows threat actors to move from administrative systems into operational environments using compromised accounts, where they can manipulate physical processes.
In targeted cases, threat actors may deploy custom malware. Variants of ShadowPad and China Chopper have been observed in such operations. This malware can be embedded within vendor support tools or disguised as legitimate software updates.
3. Recent and Notable Activity
China-linked threat actors have increasingly targeted the water and wastewater sector, exploiting poorly segmented OT networks and remote access tools maintained by third-party vendors. These intrusions have shifted from opportunistic probes to deliberate campaigns focused on gaining access to operational technology (OT) responsible for water treatment, chemical dosing, and distribution controls.
Chinese APT groups, including Volt Typhoon, have been observed targeting these facilities through unsecured remote access points and vendor software vulnerabilities. In several observed cases, attackers leveraged exposed VPN endpoints or compromised contractor accounts to access control systems running on legacy Windows servers and outdated SCADA interfaces. Once inside, they employ credential harvesting and living-off-the-land techniques to blend into legitimate administrative activity. Their access allows for the manipulation of physical processes and the disruption of water safety and availability—posing a direct threat to public health and civil stability in a conflict scenario.
In 2021, attackers attempted to manipulate chemical dosing levels at the Oldsmar, Florida, treatment facility via a remote access platform. More recently, in 2023, US officials warned of Chinese reconnaissance targeting utilities in Texas and Pennsylvania, using exposed VPNs and contractor credentials to access SCADA systems. These intrusions show a growing intent to manipulate physical processes and degrade civilian infrastructure readiness.
4. Implications and Impact
Many municipal water utilities operate with limited budgets and outdated infrastructure. As one of the most under-resourced domains, they often lack adequate means to implement cybersecurity measures. A large-scale cyberattack against the US water and wastewater sector would have grave implications for the health and well-being of communities nationwide. Threat actors can exploit critical security gaps to gain control over chemical dosing systems and water flow controllers. The impact would ripple through other industries, potentially disrupting the entire critical infrastructure system.
Almost immediately, the availability and safety of drinking water would be threatened. Disruptions at water treatment facilities could lead to service outages affecting thousands. In more severe attacks, treatment processes that manage and maintain safe chlorine or fluoride levels could be manipulated or used to introduce biological or chemical hazards.
National security and emergency response would also be impacted. Many military bases and defense contractors rely on civilian water systems. By disabling water services at or near key facilities, cyberattacks could impair base operations and defense efforts. In addition, compromised water infrastructure could prevent emergency relief activities like firefighting and water purification during a crisis.
The economic consequences could be costly. Water services are foundational to various industries and municipal functions, and the financial costs of restoring service and mitigating contamination events would be substantial, especially for underfunded utilities that lack cyber insurance. Industries depending on clean water, including agriculture, manufacturing, and food processing, would face expensive shutdowns and product loss. Municipalities and local governments would bear significant financial burdens, from emergency infrastructure repairs to public communication efforts and potential legal liabilities.
Cyberattacks on the water sector also endanger public health and safety, as water could be polluted or become unavailable entirely. Hygiene and sanitation would quickly deteriorate, especially in densely populated areas. However, the impact could last beyond the immediate disruption to daily life. Contamination fears or service interruptions could fuel civil unrest and mistrust that lingers long after clean water access is restored.
5. Risk Assessment
The NJCCIC has assessed the water and wastewater sector as a critical risk due to its growing exposure to cyber intrusions and its essential role in public health and sanitation, infrastructure continuity, and military readiness. Both the likelihood and potential impact of a successful cyberattack are considered high. This assessment is based on the increased exposure of municipal and regional water utilities to industrial control system (ICS) compromise, particularly in facilities that rely on outdated technology. Chinese state-sponsored threat actors have demonstrated an interest in manipulating chemical dosing operations and disrupting water flow, which could threaten civilian safety and degrade operations across dependent sectors.
E. Transportation
1. Overview
The transportation sector is among the most interconnected elements of US infrastructure. It plays a vital role in commuting and travel, fuel distribution and supply chain networks, and military movement. China-linked APT groups likely view this domain as a tool of strategic disruption that can be exploited to impede national response capabilities. Transportation infrastructure includes rail signaling, port operations, fleet logistics systems, air traffic control, and satellite-based navigation. Cyber activity against the sector often prioritizes persistent access and reconnaissance that threat actors can leverage during a geopolitical crisis.
2. Tactics, Techniques, and Procedures
The transportation sector is a broad network of distributed infrastructure that is facing increased exposure to cyberattacks. This includes customer portals, remote access platforms, SCADA systems, and more. One of the most frequent entry points are web-facing devices with known vulnerabilities. Many of these systems, particularly those from vendors like Fortinet and Pulse Secure, are targeted within hours of new exploits becoming publicly available.
Threat actors also target third-party vendors to infiltrate key networks. Many organizations in the transportation sector rely on external IT support, logistics software, maintenance contractors, and more. Service providers are often granted privileged system access, which threat actors can leverage to move laterally into the primary network.
Upon gaining access, the threat actors use LoTL techniques to evade detection. They abuse legitimate system tools to extract sensitive data and establish footholds. This approach helps them disguise their activity within legitimate traffic and maintain prolonged access across both IT and OT environments. It also minimizes the efficacy of detection software as they conduct reconnaissance and compromise additional systems on the network.
Credential theft is a common element of these attacks. Threat actors typically either dump LSASS memory or use tools like Mimikatz to extract valid account credentials. Weak segmentation between the It and OT environments is common in the transportation sector. This information can be used to escalate privileges and pivot across systems, transitioning into sensitive control domains.
Custom malware and backdoors may also be deployed. Variants like ShadowPad, PlugX, or China Chopper enable threat actors to maintain persistence or facilitate command-and-control. These tools are designed to blend in with regular network activity and avoid detection by endpoint security solutions.
3. Recent and Notable Activity
Chinese cyber activity against the transportation sector has expanded significantly, and APT groups are increasingly focused on transportation networks as critical chokepoints for supply chain disruption and military mobilization delay. Volt Typhoon and associated actors have targeted operational systems in ports, rail control environments, and fleet management infrastructure. These campaigns often begin with the exploitation of VPN appliances, third-party logistics platforms, or exposed remote access interfaces. Threat actors then establish persistence and conduct reconnaissance to map dependencies and identify high-impact targets. Their objective is to pre-position within transportation networks and, if activated, disable or degrade transit operations at scale.
In 2023, Volt Typhoon was observed accessing rail signaling and port operations in Guam as part of a broader campaign targeting US Pacific infrastructure. CISA and TSA have also issued advisories regarding threats to transportation operators through VPN exploitation, third-party logistics platforms, and fleet management systems. These efforts suggest a deliberate strategy to map and impair operational systems at scale.
4. Implications and Impact
The transportation sector is an attractive target for adversaries seeking to disrupt the movement of people and goods. It includes road, rail, air, and maritime systems and the digital infrastructure used to coordinate fleet movements, cargo handling, and logistics. A well-timed intrusion could delay critical deliveries, stall flights or trains, and interfere with emergency mobilization, introducing risks to economic stability, national readiness, and public safety.
Civilian mobility would immediately falter, shutting down public transit systems and airways and stranding millions of people. Commercial logistics may also be impacted. Supply chain disruptions delaying the delivery of crucial goods could contribute to food and energy shortages that threaten national resiliency.
The US military would also be affected. Many defense logistics operations rely on civilian infrastructure for transportation. A cyberattack targeting key transportation networks could significantly disrupt national defense efforts. Critically, the mobilization of military equipment and personnel would be delayed, hindering the ability to organize forces and respond to a geopolitical crisis.
5. Risk Assessment
The NJCCIC has assessed the transportation sector as a critical risk due to its dependence on integrated IT and operational technology (OT) systems and its pivotal role in enabling national logistics, supply chain continuity, and disaster response. Both the likelihood and potential impact of a successful cyberattack are considered high. This assessment is based on mounting evidence of adversary reconnaissance and pre-positioning activity targeting transportation networks and demonstrated capabilities to impair air traffic systems, rail signaling, maritime operations, and logistics platforms. Chinese state-sponsored actors have shown increasing interest in compromising operational control environments that support fleet management, port automation, and transit scheduling systems. These operations directly threaten troop deployment timelines, fuel and materiel distribution, and civilian mobility during a crisis. The sector’s wide use of legacy OT systems, vendor-managed infrastructure, and often unmonitored remote access pathways further increases its exposure to targeted disruption.
IV. Recommendations and Technical Guidance
Cybersecurity policies across all levels of operation are crucial for securing US critical infrastructure, particularly in the communications, energy, water and wastewater, and transportation sectors. Cyber activity sponsored by China will continue to target these high-risk sectors, threatening public safety and national security. To mitigate these risks, the NJCCIC advises that organizations implement layered defense strategies that prioritize strong cyber hygiene, detection and monitoring, and secure system architecture.
Resilient cybersecurity plans emphasize the importance of cyber hygiene, which encompasses the foundational practices that reduce exposure to common threats and prevent adversaries from gaining footholds within critical systems. Password reuse, weak credentials, and unsecured access points are among the top causes of system breaches. Employees should be required to create unique and complex passwords, and organizations should also enforce the use of password managers to avoid password reuse or other unsafe habits that increase the likelihood of account compromise. Multi-factor authentication (MFA) should be mandatory where available, especially for remote access, privileged accounts, and administrative interfaces. MFA adds a critical second layer of defense and ensures that unauthorized account access will be prohibited even if a password is compromised.
Additional cornerstones of cyber hygiene are effective patch management and secure system architecture.Cyberattacks against these sectors typically exploit known vulnerabilities for which patches already exist. Failing to apply software updates leaves systems exposed and vulnerable to threat activity. Organizations are advised to inventory all network assets, regularly track new vulnerabilities as they are disclosed, monitor for new patches as they become available, and prioritize addressing high-severity vulnerabilities immediately, especially those in web-facing or critical systems. Organizations should also implement network segmentation and intrusion detection. Backup procedures to ensure continuity during a ransomware attack or sabotage are recommended.
Each sector also presents unique risks and distinct operational challenges that organizations must address with tailored mitigations. These are outlined below.
A. Communications
To defend against APT groups like Volt Typhoon, organizations in the communications sector must implement hardened controls across both IT and OT systems, particularly where legacy telecom equipment intersects with modern IP-based routing and authentication services.
Access to signaling infrastructure—including BGP routers, SS7 nodes, VoIP control systems, and DNS authoritative servers—should be strictly segmented and protected using multi-factor authentication (MFA) and role-based access controls (RBAC).
Authentication services such as RADIUS, LDAP, and Kerberos ticketing systems should be continuously monitored for credential abuse, lateral movement, or the presence of tools like Mimikatz, which Volt Typhoon actors frequently use to dump credentials and tokens.
Deploy network flow analysis (NetFlow/sFlow/IPFIX) and deep packet inspection (DPI) at internal chokepoints to identify anomalous routing updates, protocol abuse (e.g., unauthorized BGP route advertisements or malformed SS7 messages), or covert beaconing activity often used for command-and-control (C2).
Ensure strict separation of management and operational planes in OT-adjacent telecom hardware, such as core switches, softswitches, and signaling gateways. This includes isolating control systems used for provisioning (e.g., SIP registrars or HLR/VLR databases) from external interfaces accessible via VPN or vendor support tunnels.
Continuously validate the integrity of firmware and configuration baselines on edge devices such as firewalls, session border controllers (SBCs), and customer premises equipment (CPE), all of which have been targeted in Volt Typhoon’s low-profile, living-off-the-land campaigns.
B. Energy
Chinese APTs such as APT41 and Volt Typhoon have demonstrated the capability to persist within ICS/SCADA environments, often by pivoting from exposed IT assets into OT domains. Energy providers must focus on strict IT/OT segmentation, credential hygiene, and visibility within industrial control protocols.
DMZ architecture must enforce unidirectional data flow between corporate IT and control systems (e.g., historian push-only to IT). Access to HMI terminals, PLC programming interfaces, and SCADA servers must be isolated from remote administration portals unless tunneled through secure jump servers with full session recording.
Monitor for lateral movement tools such as Impacket, PsExec, and remote WMI—all frequently used by Volt Typhoon to traverse ICS-connected Windows environments. Alert on unauthorized use of SMB, RDP, and RPC across OT VLANs.
Deploy deep packet inspection for ICS protocols like Modbus, DNP3, OPC, and IEC 60870-5-104. Look for out-of-sequence function codes, changes to control points, or rogue devices issuing write commands—a strong indicator of adversary presence.
Use asset inventory and passive OT monitoring tools (e.g., Nozomi, Claroty, Dragos) to baseline expected communications and detect anomalous command traffic or firmware changes on field devices.
APT41 has previously weaponized vendor support tools and outdated VPN concentrators to establish long-term access. All vendor access should be time-bound, approval-based, and recorded, with telemetry exported to a centralized SIEM for correlation with ICS activity.
C. Water and Wastewater
Water utilities—especially smaller or municipal ones—are frequent targets due to outdated ICS, limited logging, and reliance on third-party vendors. Volt Typhoon and other Chinese actors aim to manipulate chemical dosing, pump control, or SCADA telemetry to degrade water quality or disable distribution.
All remote access to water SCADA systems (chlorine dosing, booster stations, flow control) must go through hardened gateways with multi-factor authentication, geofencing, and IP allowlisting.
Monitor authentication logs for repeated failed logins or anomalous logon times, especially on Windows-based HMI systems. Volt Typhoon actors often perform after-hours access and escalate privileges via token impersonation or LSASS dumping.
Segment treatment plant operational systems from billing/customer portals and vendor maintenance workstations. Firewalls should strictly block inbound access to OT devices unless traffic originates from safelisted jump boxes.
Use change detection tools to monitor for alterations in PLC ladder logic, setpoint values, or firmware revisions—especially in devices managing chemical injectors or pump pressure.
Establish baselines for regular ICS command traffic and SCADA polling intervals. Anomalies in polling frequency, device command latency, or unsolicited write requests can indicate adversarial manipulation.
D. Transportation
Transportation infrastructure—including rail systems, air traffic control, port operations, and fleet logistics platforms—faces growing risk from Chinese threat actors who aim to delay military mobilization and disrupt supply chains during geopolitical escalation.
Ensure SCADA and logistics control networks (e.g., rail signaling, airport runway systems, port crane automation) are physically and logically segmented from public-facing systems such as passenger portals or scheduling apps.
Deploy protocol-aware intrusion detection systems (IDS) for transport-related OT, such as CAN bus, Profinet, and serial-over-IP traffic used in legacy rail and aviation systems. Volt Typhoon has used stealthy C2 over nonstandard ports to evade detection in these environments.
Monitor for abuse of transportation vendor APIs (e.g., automated shipping manifests, flight route uploads), which can be manipulated to disrupt service continuity or spoof departure/arrival data.
Secure backend databases for fleet management, geolocation tracking, and fuel logistics with strong role-based access controls. Prior incidents have shown that weak permissions on logistics systems allow lateral movement into control environments.
Audit all remote connections—especially unmanaged cellular modems, satellite uplinks, and VPN appliances used in mobile transportation contexts—and deploy EDR agents on endpoints used for remote dispatch or route programming.
Sustained security across these sectors depends on integrating cybersecurity into daily operations. Cybersecurity plans must outline and enforce basic cyber best practices to reduce risk exposure and improve the ability of critical infrastructure organizations to respond to emerging threats. Regular risk assessments can further assist organizations in identifying potential vulnerabilities and evaluating the likelihood and severity of risks.
V. Conclusion
Chinese state-sponsored threat activity constitutes a critical risk to US national security, economic stability, and public safety. As detailed in this report, APT groups such as Volt Typhoon, APT41, and Salt Typhoon are actively engaged in campaigns designed to infiltrate and establish persistent access within key tiers of US critical infrastructure. These operations are strategic, intending to enable widespread disruption during a future conflict, particularly involving heightened tensions in the Indo-Pacific region and Taiwan.
The communications, energy, water and wastewater, and transportation sectors are at the highest level of risk. These sectors provide fundamental services, directly supporting emergency response, military readiness, supply chain continuity, and the daily functioning of civilian life. The NJCCIC’s risk assessment highlights the probability of continued cyber activity and the consequences of successful intrusions, which range from mass service outages and economic losses to degraded defense capabilities and compromised public health and well-being.
Tactics employed by Chinese-sponsored APT groups highlight a deliberate effort to pre-position for maximum operational disruption. These include the exploitation of unpatched vulnerabilities, credential theft, lateral movement across poorly segmented networks, and deploying stealthy backdoors within IT and operational technology environments. Leveraging legitimate access methods and living-off-the-land techniques further enables long-term persistence and evasion of traditional detection methods. Given the significance of target sectors, organizations are advised to implement proactive defense measures to counter these threats.
Cyber operations are expected to continue as China-linked actors expand their campaigns to degrade or disable essential US critical infrastructure from within. Countering these threats will require sustained coordination among organizations across the Communications, Energy, Water and Wastewater, and Transportation sectors in collaboration with state and local governments, federal agencies, and private-sector stakeholders. The NJCCIC will continue to monitor developments related to this cyber activity. As new information becomes available, ongoing analysis and threat intelligence updates will be provided.