Chinese hackers targeting ‘high value’ North American critical infrastructure, Cisco says

Chinese hackers successfully breached multiple critical infrastructure organizations in North America over the last year using a combination of compromised credentials and exploitable servers, researchers at Cisco Talos found. 

In findings published Thursday, the researchers documented a campaign starting last year where Chinese government-backed hacking groups were tasked with obtaining initial access to “high-value” organizations. Cisco Talos refers to the group as “UAT-8837.”

After getting access, the threat actors used a variety of tools to steal credentials, security configurations and other information to enable broader access to victim organizations. 

While the group has used multiple vulnerabilities to gain access, Cisco Talos tracked several intrusions involving the exploitation of CVE-2025-53690 — a bug affecting products from software company SiteCore.

The zero-day vulnerability was spotlighted by federal cybersecurity officials in the Fall, and all federal civilian agencies were ordered to patch the bug by September 25. At the time, Google published its own examination of an incident involving the bug and mentioned at least four of the same post-exploitation tools that were highlighted by Cisco Talos. 

Cisco Talos said the group’s targeting of the bug indicates the Chinese group “may have access to zero-day exploits.”

One of the tools used by the hacking group, called Earthworm, allows threat actors to expose internal endpoints to attacker-owned remote infrastructure. Cisco Talos said Earthworm has been used extensively by Chinese-speaking threat actors during intrusions in order to determine which internal endpoints are undetectable by endpoint protection products.

“The undetected version is then used to create a reverse tunnel to attacker-controlled servers,” they explained. 

Concerns about Chinese hackers targeting critical infrastructure were revived following an incident in December when the group Salt Typhoon was detected compromising an email platform used by Congressional staffers. 

The staffers targeted in the attacks work on the House of Representatives’ China committee and several others covering foreign affairs. U.S. officials have repeatedly warned of Chinese government-backed hacking groups targeting federal agencies and other critical infrastructure organizations. 

On Wednesday, a group of Western cyber agencies released an alert about the growing digital threats facing the operational technology at the heart of industrial systems used by many critical infrastructure organizations.