PRC Cyber Actors Target Telecommunications Companies: Global Cyberespionage Campaign

A federal cyber threat bulletin on PRC-linked actors targeting telecom providers, including tactics used to compromise edge devices and collect sensitive network data.

This document provides an overview of ongoing cyber threat activity attributed to state-sponsored actors from the People’s Republic of China targeting telecommunications companies. It explains why telecommunications infrastructure has become a high-value espionage target and outlines the broader implications for Canadian organizations.

The bulletin describes how the Canadian Centre for Cyber Security, working with international partners, has observed sustained cyber espionage campaigns against major telecommunications providers. These activities are assessed as state-sponsored and strategically motivated rather than financially driven. Telecommunications networks are targeted because they carry sensitive communications and store large volumes of customer data. Access to these systems can provide intelligence value well beyond a single organization.

The document notes that Canadian telecommunications companies have been directly affected by this activity. Specific incidents involved the compromise of network devices belonging to a Canadian provider, allowing threat actors to retrieve configuration files. In at least one case, configurations were altered to enable covert traffic collection. These actions demonstrate a focus on long-term access and intelligence gathering rather than immediate disruption.

The threat is not limited to a single organization or sector. Telecommunications providers are trusted intermediaries that connect governments, businesses, and individuals. By compromising these providers, threat actors can potentially access data belonging to many downstream clients. This makes telecommunications networks attractive entry points for broader espionage campaigns.

The report explains that access to telecommunications data can support multiple intelligence objectives. This includes collecting call records, monitoring communications, tracking locations, and identifying relationships between individuals. Such information is particularly valuable when it involves government officials, political actors, or organizations involved in sensitive activities. The scale of data available through telecommunications systems amplifies the impact of any compromise.

A key technical theme in the document is the exploitation of vulnerabilities in network edge devices. These include routers, firewalls, and virtual private network systems that sit at the boundary between internal networks and the internet. Because they handle large volumes of traffic and are often internet-facing, these devices present an attractive target. Once compromised, they can provide visibility into network activity without triggering traditional endpoint defenses.

The bulletin highlights that attackers may exploit known vulnerabilities in these devices to gain and maintain access. In some cases, compromised devices are used primarily for reconnaissance and monitoring rather than active intrusion. This low-profile activity can allow actors to remain undetected for extended periods. The approach reflects a preference for persistence and stealth over rapid exploitation.

The document also emphasizes the broader risk to organizations that rely on telecommunications and other service providers. Threat actors may target providers as a means of indirect access to their clients. This supply-chain dynamic increases the potential impact of a single compromise. Organizations may be exposed even if their own internal security controls are strong.

Another concern raised is the likelihood that this activity will continue. Based on observed patterns and strategic priorities, the assessment indicates that PRC cyber actors are expected to persist in targeting Canadian organizations over the coming years. Telecommunications service providers and their customers are identified as ongoing areas of interest. This persistence underscores the need for sustained defensive attention rather than one-time remediation.

The document places this activity within the context of Canada’s broader cyber threat landscape. It aligns with assessments that state-sponsored actors are increasingly focused on critical infrastructure and service providers. Telecommunications networks are singled out because of their central role in modern society. Disruption or surveillance at this level can have far-reaching consequences.

Technical guidance referenced in the bulletin focuses on improving visibility and hardening network infrastructure. This includes reducing exposure of edge devices, addressing known vulnerabilities, and strengthening monitoring at network perimeters. These measures are positioned as essential for detecting and mitigating sophisticated espionage activity. The emphasis is on reducing opportunities for covert access rather than responding after damage occurs.

Organizations often ask how they can understand whether they are affected by this type of threat, what controls matter most, and how responsibility is shared between providers and clients. This guidance is intended to clarify those issues in a structured and practical way. It helps organizations understand the nature of the threat, the techniques being used, and the areas where defensive effort is most impactful. The result is a clearer foundation for risk awareness and informed decision-making without unnecessary complexity.

This is a public document intended for broad distribution and citation. Document status: UNCLASSIFIED (TLP:CLEAR). Publisher: Canadian Centre for Cyber Security, Government of Canada. Intended audience: telecommunications providers, organizations that rely on telecommunications services, and stakeholders responsible for managing cyber risk.

• Click here to download