Chinese state-sponsored hackers, tracked as UNC3886, has successfully infiltrated several organizations’ Juniper Network routers, deploying custom backdoors for cyber-espionage activities. Detailed in a March 12 blog post by Mandiant, the attack raises concerns about potential widespread compromises, affecting more organizations than the currently confirmed few.
UNC3886 primarily targeted Juniper MX routers, which are running end-of-life (EOL) hardware and software—systems that lack advanced security features like endpoint detection and response (EDR) agents.
“We’ve confirmed less than 10 victims at this stage, but we anticipate more organizations will realize they’ve been compromised,” said Charles Carmakal, CTO of Mandiant Consulting. He added that detecting such attacks is difficult due to the absence of EDR solutions on the compromised routers, making the investigation both manual and challenging.
High-Risk Targets of the Hackers: ISPs and Telecom Providers
While Mandiant has not identified specific industries affected, the company suspects that Internet Service Providers (ISPs) and telecom carriers are primary targets. The Juniper MX Series routers, commonly used by cloud providers and large ISPs, were exploited during this attack. This breach follows other high-profile incidents last year involving China-backed groups targeting U.S. telecom firms, including Salt Typhoon and Volt Typhoon. However, Mandiant found no technical overlap between UNC3886 and these previous attacks.
The investigation by Mandiant revealed that UNC3886 gained initial access to the Juniper routers through terminal servers used to manage network devices. By leveraging legitimate credentials, the attackers infiltrated the Junos OS network operating system, securing privileged access.
Tactics Used by the Hackers
- Exploiting Authentication Services: The attackers replaced the TACACS+ authentication system with a backdoored version, ensuring continued access.
- Bypassing Defenses: Instead of disabling Veriexec, a kernel-based file integrity system, the hackers injected malicious code into legitimate processes’ memory, evading detection.
- Deploying the TinyShell Backdoor: After gaining root access, the attackers installed a modified version of the TinyShell backdoor, enabling covert command-and-control (C2) communication while also disabling logging to cover their tracks.
Security Patch and Mitigation Measures
In response to Mandiant’s findings, Juniper Networks issued a security advisory on March 12, urging users to address a vulnerability (CVE-2025-21590) in Junos OS. This flaw, related to improper isolation within the OS kernel, allows attackers to gain full control over affected devices.
Impacted Versions of Junos OS:
- Versions before 21.2R3-S9
- 21.4 versions before 21.4R3-S10
- 22.2 versions before 22.2R3-S6
- 22.4 versions before 22.4R3-S6
- 23.2 versions before 23.2R2-S3
- 23.4 versions before 23.4R2-S4
- 24.2 versions before 24.2R1-S2, 24.2R2
Steps for Organizations to Secure Their Networks
Juniper Networks recommends the following to mitigate risks:
- Upgrade Juniper Devices: Ensure all routers are updated to the latest patched Junos OS versions.
- Run the Juniper Malware Removal Tool (JMRT): Perform a Quick Scan and Integrity Check post-upgrade.
- Implement Secure Authentication: Enforce multifactor authentication (MFA) and limit access to critical systems.
- Enhance Network Monitoring: Deploy advanced threat detection and intrusion prevention measures.
- Strengthen Configuration Management: Ensure tight access controls and proactive device lifecycle management.
The exploitation of routing devices reflects a worrying shift in cyber-espionage tactics. By gaining persistent access to critical network infrastructure, attackers set the stage for potential cyber disruptions in the future. As Mandiant researchers noted, this new approach increases the risk of prolonged surveillance and future cyber-attacks on global infrastructure.
“The compromise of routing devices marks a shift in tactics. These devices grant adversaries long-term access, increasing the potential for cyber disruptions,” Mandiant warned.
In response to this growing threat, a Juniper Networks spokesperson reaffirmed the company’s commitment to cybersecurity:
“Juniper Networks published a security advisory in collaboration with Mandiant to address the vulnerability. We remain dedicated to responsible disclosure and work closely with industry and government partners to counter emerging threats. Customers are encouraged to visit our Customer Support Center for detailed updates.”
Securing Networks from State-Sponsored Threats
This breach underscores the need for organizations, particularly ISPs, cloud providers, and telecom carriers, to prioritize cybersecurity. To mitigate the risks of state-sponsored cyberattacks, proactive security measures and regular system audits are essential.
With China-backed threat groups continuing to target U.S. infrastructure, it’s critical for companies to strengthen their cyber resilience and implement comprehensive security strategies.
