A Chinese hacker group is targeting routers made by a major U.S. manufacturer, taking advantage of outdated software and hardware to hijack routers and access computer networks, a cybersecurity firm warned Wednesday.
It’s a new tactic in an increasingly sophisticated cybercrime landscape, according to the firm.
Mandiant, a Google subsidiary known for outing Chinese hackers, reported in a blog post March 12 that the state-backed hacker group UNC3886 targeted routers made by Juniper Networks.
The Silicon Valley-based tech company is a main competitor to Cisco, the leader in the U.S. router market. While many Juniper products are manufactured in China and other parts of Southeast Asia, most of its higher-end products are assembled in North America.
In mid-2024, Mandiant found that attackers had deployed a program that accessed victims’ computers by disabling login mechanisms.
Once in the system, the program could carry out active backdoor functions, which directly interfered with the system, or passive backdoor functions—“eavesdropping” or gathering information.
Mandiant noted that the back doors were based on an open-source, low-maintenance program named TINYSHELL.
A New Tactic
Mandiant noted that in 2022 and 2023, it reported that hacker group UNC3886 had breached server software such as VMware ESXi, Linux vCenter servers, and Windows virtual machines.Wednesday’s blog post described “a development in UNC3886’s tactics, techniques and procedures,” and a focus on devices that may lack security monitoring and detection solutions.
Compromising routing devices is a new espionage tactic, the report said, “as it grants the capability for a long-term, high-level access to the crucial routing infrastructure, with a potential for more disruptive actions in the future.”
Mandiant described UNC3886 as “highly adept.” The hacker group’s modus operandi is to acquire “legitimate credentials” and use them to operate undetected.
Historically, the group has targeted network devices and virtualization technologies with “zero-day exploits,” cyber attacks that take advantage of previously unknown vulnerabilities in software, hardware, or firmware before vendors have a chance to patch them.
“UNC3886 continues to demonstrate a deep understanding of the underlying technology of the appliances it targets,” the blog post said.
Mandiant also observed the group’s preference for prolonged operations, as displayed by its use of stealth tactics and its manipulation of logs and forensic evidence.
AI-Driven Intrusions Surge
Mandiant’s post followed the “2025 CrowdStrike Global Threat Report,” released Feb. 27, which highlighted a 150 percent surge in AI-driven U.S. network intrusions throughout 2024.CrowdStrike’s report focused on the growing integration of artificial intelligence into network intrusions.
It found that with the help of technology, voice phishing, or “vishing attacks,” where AI was used during phone calls, soared by 442 percent in 2024.
American financial services, media, and industrial sectors suffered a 300 percent increase in AI-powered intrusions, the report said.
Cybercrime has become big business, with “access brokers” advertising their services—a practice noted to have increased by 50 percent in 2024.
Manhunt for Chinese Hackers
That report was followed by news last week of an FBI search for 12 Chinese tech freelancers accused of breaching email accounts, cellphones, servers, and websites on behalf of Beijing between 2016 and 2023.On Mar. 5, the Department of Justice (DOJ) reported that it disrupted the activities of 12 Chinese nationals–including two members of China’s Ministry of Public Security–employed as freelancers for the Chinese state-owned i-Soon company.
The suspects, who were reported to be at large, were allegedly paid between $10,000 and $75,000 for every mailbox they hacked, while the company charged extra to analyze the stolen data.
Among global victims of the operation were “a large religious organization in the United States, critics and dissidents of the [People’s Republic of China], a state legislative body, United States government agencies, the ministries of foreign affairs of multiple governments in Asia, and news organizations.”
The Epoch Times has learned that it was a victim of the hacking campaign.
The State Department has since posted a reward of up to $10 million for information on any entity acting maliciously against the United States at the behest of a foreign government.
