US and international security agencies have warned that Chinese state hackers “have compromised networks of major global telecommunications providers to conduct a broad and significant cyber espionage campaign.”

“The PRC-affiliated cyber activity poses a serious threat to critical infrastructure, government agencies, and businesses,” said CISA Executive Assistant Director for Cybersecurity Jeff Greene. “Along with our US and international partners, we urge software manufacturers to incorporate Secure by Design principles into their development lifecycle to strengthen the security posture of their customers. Software manufacturers should review our Secure by Design resources and put their principles into practice.”

In light of this threat, the agencies – including CISA, FBI, NSA, and others – have jointly released a detailed new guidance document to help network administrators and defenders identify anomalous behavior, improve configuration, harden their devices, and limit the attackers’ access.

For example, the device hardening section for network engineers includes actions such as:

• Use an out-of-band management network that is physically separate from the operational data flow network. Ensure that management of network infrastructure devices can only come from the out-of-band management network.

• Implement a strict, default-deny ACL strategy to control inbound and egressing traffic and ensure all denied traffic is logged.
• Employ strong network segmentation via the use of router ACLs, stateful packet inspection, firewall capabilities, and demilitarized zone (DMZ) constructs.
• Place externally facing services, such as DNS, web servers, and mail servers, in a DMZ to provide segmentation from the internal LAN and backend resources.
• Do not manage devices from the internet. Only allow device management from trusted devices on trusted networks.
• Control access to device Virtual Teletype (VTY) lines with an ACL to restrict inbound lateral movement connections.
• If using Simple Network Management Protocol (SNMP), ensure only SNMP v3 with encryption and authentication is used, along with ACL protections against unnecessary public exposure.
• Disable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP).
• Disable Internet Protocol (IP) source routing.
• Disable Secure Shell (SSH) version 1. Ensure only SSH version 2.0 is used with the following cryptographic considerations. For more information on acceptable algorithms, see NSA’s Network Infrastructure Security Guide.

Organizations that believe they are a victim of these attacks should contact their local FBI Field Office or CISA. Read the complete list of guidelines at CISA.