Chinese Cyberespionage Group Targeting Critical Infrastructure

Uploaded on 2025-07-28 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

A sophisticated cyberespionage campaign, dubbed Fire Ant, has been uncovered by cybersecurity firm Sygnia, revealing a China-linked group exploiting vulnerabilities in virtualisation and networking systems to infiltrate critical infrastructure.

Since early 2025, the attackers have targeted VMware ESXi and vCenter environments, as well as network appliances, to gain persistent access to highly secure, isolated networks.

The campaign, which shares similarities with the known threat group UNC3886, highlights the growing challenge of securing modern IT systems against state-sponsored actors.

Stealthy Tactics

The Fire Ant group employs advanced techniques to bypass traditional security measures, focusing on the hypervisor layer - a critical component of virtualisation infrastructure that often lacks adequate monitoring. By exploiting vulnerabilities, such as CVE-2023-34048 in VMware vCenter, the attackers gain initial access, extract credentials, and deploy backdoors to maintain control even after system reboots. They also manipulate network configurations and use encrypted tunnels to move undetected across segmented networks, making their activities difficult to trace.

Sygnia’s investigation found that Fire Ant adapts quickly to defensive efforts, rotating tools and renaming malicious files to evade detection.

In one instance, the group terminated logging processes on ESXi hosts to suppress evidence of their presence, further complicating forensic investigations. Their ability to pivot from the hypervisor to guest virtual machines, using flaws like CVE-2023-20867, allows them to extract sensitive data and maintain long-term surveillance.

Links To Known Threat Actors

The campaign bears striking similarities to operations by UNC3886, a China-linked group known for targeting edge devices and virtualisation technologies since at least 2022. Shared tools, techniques, and targeted sectors—such as telecommunications, government, and technology - suggest a possible connection. Yoav Mazor, Sygnia’s Head of Incident Response for the Asia-Pacific region, noted: “Fire Ant shows incredible advanced capabilities to infiltrate and conduct espionage campaigns, avoiding detection and multi-layered traditional security measures by targeting infrastructure blind spots.”

A Growing Threat to Critical Infrastructure

Fire Ant’s focus on critical infrastructure, including sectors like telecommunications and energy, underscores the risks posed by nation-state actors. The group’s ability to bypass network segmentation and operate beneath the radar of conventional security tools highlights a critical weakness in many organisations’ defences. Traditional endpoint security solutions often fail to monitor the hypervisor layer, leaving gaps that attackers exploit to access isolated systems.

In expert comment, Ev Kontsevoy, CEO of Teleport, commented on the broader implications: “Technology innovation has reached terminal velocity, and criminal cyber groups have realised how easy it is to hide within modern infrastructure. The Chinese cyberespionage group, Fire Ant, has been exploiting infrastructure vulnerabilities and using stolen credentials to infiltrate systems. This is not an isolated tactic. Many nation-state groups are now adopting the same approach due to its effectiveness and the difficulty of detection.”

Kontsevoy added that the complexity of modern IT environments exacerbates the problem: “Each new technology added to our stack increases complexity and creates more opportunities for attackers to hide. Fire Ant took full advantage of this fragmented landscape. The attackers used stolen credentials to create backdoors and mimic legitimate employee actions through common, trusted tools. As long as technological innovation outpaces security, we will continue to witness high-profile and large-scale cyberattacks. The only way to prevent nation-state hackers and other criminals from accessing infrastructure as easily as if it were a walk in the park is by unifying identity.”

Recommendations For Defence

Sygnia urges organisations to enhance visibility into their virtualisation and network layers, recommending measures such as centralised logging, regular patching, and restricting access to critical systems. Enabling features like Lockdown Mode and Secure Boot on VMware systems can prevent unauthorised changes, while monitoring for unexpected process terminations, such as the ‘vmsyslogd’ process, can help detect malicious activity.

Kontsevoy emphasised the need for unified identity management: “By unifying all identities—whether human, software, hardware, or AI - companies can gain a single source of truth and complete visibility into how identities enter and move through their systems. This also enables the enforcement of key security practices, such as just-in-time access, reducing the window attackers have to move laterally even if they succeed in breaking in.”

Proactive Security

The Fire Ant campaign serves as a stark reminder of the evolving threat landscape, where state-sponsored actors exploit the complexities of modern IT systems to conduct espionage. As organisations increasingly rely on virtualisation, Sygnia stresses the importance of treating these systems as active threat surfaces.

By adopting a multi-layered security approach and addressing visibility gaps, businesses can better protect themselves against sophisticated adversaries like Fire Ant.

Sygnia’s full report is available Here:

Image: Ideogram

You Might Also Read:

Lessons Learned From The Salt Typhoon Hacks:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.