State-sponsored cyber operations from the People’s Republic of China and the Democratic People’s Republic of Korea continue to shape the threat landscape, but their objectives and tradecraft reveal different operational logic. China-aligned actors are demonstrating long game espionage and pre-positioning aimed at persistent access inside telecommunications and critical infrastructure. North Korea-aligned actors are sharpening financially motivated operations that abuse social engineering and malware to drain cryptocurrency and support regime finances. Both present urgent, but distinct, defensive priorities for enterprise and national defenders.

China-aligned activity: persistent presence, infrastructure focus China-linked APT actors have been observed compromising provider edge and customer edge network equipment to obtain long term footholds inside telecoms, transportation, lodging, government, and defense networks. Recent joint advisories from U.S. and international partners describe campaigns in which these actors exploited unpatched edge devices, modified firmware and configurations, and maintained stealthy access to telemetry-poor parts of networks. Defenders must treat these compromises as strategic pre-positioning intended to enable collection and, in some scenarios, future disruptive options.

Industry reporting and incident response investigations tied the cluster of activity labeled Salt Typhoon, RedMike and related aliases to campaigns that exploited known Cisco IOS XE vulnerabilities and other internet-facing appliance flaws to compromise telecom infrastructure in late 2024 and into 2025. These attacks used a mix of bespoke backdoors and living off the land tools to blend with legitimate administrative traffic and avoid detection. The pattern is not opportunistic only; it targets assets that are hard to monitor and difficult to patch without service disruption, which multiplies the defender’s challenge.

Reporting has also connected Salt Typhoon activity to sensitive compromises, including significant intrusions into state and local networks and telecom affiliates, prompting sanctions and targeted enforcement actions by U.S. authorities in early 2025. Those responses underscore that these campaigns crossed thresholds that matter to national security and continuity of services.

North Korea-aligned activity: monetization through crypto and social engineering North Korea state-sponsored units, frequently tracked under the Lazarus, TraderTraitor and AppleJeus labels, continue to pursue monetization at scale. In 2024 these actors were linked by allied governments to hundreds of millions of dollars in cryptocurrency thefts, and public advisories document a persistent preference for highly tailored social engineering combined with trojanized crypto tooling. The operational objective is clear. These actors need revenue, and modern crypto infrastructure presents high-value, software-defined targets they can exploit remotely.

Tactics include highly personalized pretexts delivered over professional networks and social media, fake job offers that coax victims into installing trojanized trading wallets or remote access tools, and the compromise of developer or operations endpoints that hold signing keys. U.S. and allied incident reporting and indictments show that these campaigns often blend high-touch social engineering with commodity and bespoke malware families such as AppleJeus and TraderTraitor. The result is rapid, high-value theft and the need for transaction recovery and international law enforcement coordination.

Convergence and divergence: why both matter Both classes of actors value persistence, but they use it differently. China-aligned groups prioritize stealthy, long lived access to strategic networks where disruption or mass collection could be decisive in a future crisis. North Korea-aligned groups prioritize fast monetization and laundering of stolen assets to fund state priorities. Where they converge is in exploiting gaps that are operationally painful to fix: legacy appliances, weak patch cadence, exposed management interfaces, and human trust that can be abused through social engineering.

Actionable mitigations for defenders

  • Inventory and harden edge and infrastructure devices. Prioritize provider and customer edge routers, firewalls, and VPN appliances for firmware validation, secure configuration, and a patch schedule that treats known exploited vulnerabilities as urgent. CISA and partner advisories explicitly call out patching and securing edge infrastructure as a first line of defense.

  • Hunt for persistence and firmware tampering. Standard EDR will miss many attacks that alter router firmware or use living off the land tactics. Collect and centralize telemetry from network devices, enable robust configuration change tracking, and run integrity checks against vendor firmware. The adversary tradecraft is designed to leverage low-visibility systems.

  • Treat critical comms and operational networks as high risk. Segment management interfaces from general networks, reduce blast radius for compromised telephony and mobility systems, and enforce least privilege for service accounts that interact with telecom or OT gear. Joint advisories highlight telecoms and transportation as prioritized targets.

  • Harden hiring and contractor onboarding for sensitive roles. North Korea-aligned actors have used recruitment and job-offer pretexts to place malware. Apply strict code and build provenance checks, require air-gapped signing for keys, and vet remote job candidates in crypto and exchange operations carefully. Advisories and incident summaries recommend restricting use of social media tools on work devices and verifying the provenance of third-party crypto applications.

  • Use phishing-resistant multi-factor authentication and strong key management. MFA and hardware-backed keys blunt both espionage and credential-based lateral movement. For crypto custodians, prefer hardware signers, multi-party signing, and rigorous operational separation between signing environments and internet-facing systems.

  • Engage in proactive threat hunting and information sharing. The things these actors leave behind can be subtle. Centralized logging, anomaly detection tuned to administrative and configuration anomalies, and rapid sharing of IOCs with ISACs and national agencies materially reduce dwell time. Joint government-industry advisories exist to support that work.

Closing caution Treat the recent wave of disclosures not as a one-off alarm but as confirmation of adversary intent and capability. For organizations that operate telecom links, host critical services, or custody value in software-defined assets, the calculus has changed. Expect continued targeting and evolve defenses with a bias toward resilience: fast patching, tamper detection, and operational separation between critical signing environments and internet-facing services. The alternative is long dwell and expensive recovery. If you defend systems that adversaries prize, assume they will try again and prepare accordingly.