In the first half of 2025, a clear pattern emerged in the global cyber espionage activities of groups affiliated with China. Strategic sectors such as telecommunications and semiconductors appear to be the target of advanced attacks.
Between December 2024 and January 2025, the Chinese-backed espionage group RedMike, also known as Salt Typhoon, exploited vulnerabilities in Cisco equipment at global telecommunications companies on a large scale. According to Recorded Future‘s Insikt Group, these targeted attacks exploited two known vulnerabilities in unpatched Cisco IOS XE devices: CVE-2023-20198 and CVE-2023-20273. This allowed RedMike to gain elevated access and install a GRE tunnel, maintaining persistent control over the affected systems.
The targets included a US subsidiary of a British telecom provider, a South African telecom company, and possibly universities in the US, the Netherlands, Mexico, and Indonesia, among others. The Chinese attacks appear to be aimed at strategic information, including research in the field of technology and telecom. In total, RedMike attempted to exploit more than a thousand devices worldwide.
Although the group has already garnered significant international media attention and was recently subject to US sanctions, the attacks persist. In January 2025, the US imposed sanctions on the Chinese company Sichuan Juxinhe Network Technology for its direct involvement in RedMike’s activities. According to Recorded Future, this type of attack poses a significant threat to national security, as permanent access to telecom infrastructure can be exploited for eavesdropping or sabotage during periods of heightened political tension.
Broader Chinese campaign
Although these attacks were specifically targeted at the telecommunications sector, they are part of a broader campaign of cyber espionage by China-aligned groups aimed at technological dominance and strategic advantage.
From March to June 2025, multiple cyberattacks were carried out on Taiwanese companies in the semiconductor industry. According to security company Proofpoint, these were phishing campaigns by three China-aligned espionage groups, aimed at gathering sensitive technical and financial information. The attackers approached employees via emails posing as job vacancies or investment proposals, often sent from compromised university accounts.
The phishing emails contained attachments that installed malicious software, such as backdoors and reverse shells. Techniques such as DLL sideloading and the use of customized malware, including a backdoor codenamed Voldemort, were used to gain long-term access to systems. Advanced phishing kits were also used to steal employee login credentials.
The attacks appear to be linked to China’s pursuit of technological independence and come at a time of heightened geopolitical tensions surrounding Taiwan and export restrictions on chips. Proofpoint warns that organizations in the global semiconductor supply chain should be particularly vigilant for targeted phishing and espionage attempts.