MIVD and AIVD confirm router access by China-linked Salt Typhoon at Dutch internet service and hosting providers

Dutch military and domestic intelligence services report that a China-linked espionage group known as Salt Typhoon struck targets in the Netherlands and touched national critical infrastructure. The services identified activity against smaller internet service and hosting providers.

Investigators say the intruders reached provider routers, not the companies’ internal networks. In coordination with the national cyber center, Dutch teams shared indicators and defensive tips with affected firms and other audiences.

MIVD and AIVD confirm access to routers at smaller Dutch providers

The Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) ran a joint investigation after allied warnings about a large, multi-year campaign against telecom backbones. Their inquiry found Dutch-based cases linked to the same actor cluster.

Defense officials confirm the targets inside the country were not tier-one telecom operators. They point instead to a set of smaller internet and hosting providers that sit deep in the domestic network ecosystem and often handle edge routing for downstream customers.

According to industry sources, the intruders leveraged access to provider routers to observe traffic and maintain footholds at the perimeter. Dutch officials emphasize there is no evidence of deeper lateral movement inside the affected companies. 

Router-level access can enable data capture or network pivoting, but the absence of internal compromise narrows the response, limits forensics scope and helps recovery teams prioritize configuration review and telemetry collection on edge devices.

The Dutch statement arrives after a long year of escalating disclosures by allied services.

In December 2024, a senior U.S. official said a China-linked group breached telecommunications companies in dozens of countries and confirmed compromises at multiple U.S. carriers.

Over summer 2025, the picture widened again as allied agencies described more victims across regions and sectors beyond telecom. Dutch services now report that their own sources align with parts of those findings. They note the number of foreign operations touching Dutch interests keeps growing.

Joint advisory describes targets across telecom transport lodging military

On 27 August 2025, a broad coalition of security and intelligence agencies released a technical advisory that documents the actor cluster’s tradecraft and victim set. 

The authors include cyber and intelligence services from North America, Europe, and the Asia-Pacific, with Dutch participation alongside partners. The advisory describes activity against networks that underpin core services for telecommunications, government, transportation, lodging and military customers. It explains how the attackers focus on backbone routers and provider edge or customer edge devices, then use trusted links to approach other environments.

It notes the partial overlap between this campaign and industry labels such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. The authors avoid choosing one vendor name and refer to them generically as state-sponsored APT actors.

European services publicly backed the alert, including national intelligence elements and cyber authorities that had already warned about router compromises in their own territories.

Large carriers and smaller regional ISPs maintain private interconnections, hand-off routes and shared IX fabrics. An intruder who controls a router at one provider can influence or observe traffic that touches others. That is exactly why several countries chose to issue harmonized guidance with the same detection logic and artifact lists.

The activity pushed past classic diplomatic or defense espionage into operational networks that carry real customer traffic. The campaign relied on known bugs and weak configurations far more than undisclosed zero-days. The burden falls on timely patching, disciplined change control and realistic monitoring at scale.

Tactics used against backbone and edge routers in the global campaign

The joint document maps the attackers’ methods in detail. Initial access centers on public vulnerabilities in exposed network edge devices. 

The list calls out Ivanti Connect Secure (CVE-2024-21887 chained with CVE-2023-46805), Palo Alto Networks PAN-OS GlobalProtect (CVE-2024-3400), and Cisco IOS XE management flaws including CVE-2023-20198. Investigators also note long-standing abuse of Cisco Smart Install (CVE-2018-0171).

After landing on a device, the actors work to persist and hide:

• They add or alter access control lists to permit traffic from their own hosts.
• They enable SSH or web management on non-default high ports, sometimes using patterned port numbers such as 22×22 or xxx22.
• They create local users, adjust logging, and, on supported platforms, drop into on-box Linux containers or use built-in scripting to pull configs and stage tools. 
• In several cases, they ran SNMP commands to enumerate neighboring devices and set changes where write access allowed it.

Collection and movement follow. The advisory highlights packet capture from selected links and interest in TACACS+ traffic over TCP 49. On some Cisco systems, the actors used native features to mirror traffic. 

Elsewhere, they configured GRE or IPsec tunnels to ship data and commands through paths that blend into normal provider noise. They chained virtual private servers for multi-hop relays and used open-source pivoting tools to stitch together remote shells, file movement, and proxy links.

Router access at smaller providers can grant visibility into enterprise and municipal customers that buy connectivity from those providers. It creates pressure on peering points, since mirrored or tunneled traffic can traverse interconnects without setting off alarms in upstream SOCs. Teams that focus only on endpoint EDR will miss all of it, because the activity lives on boxes that rarely run EDR and often sit outside standard logging pipelines.

The following checks come straight from the techniques documented by allied agencies and tested across real incidents:

• Verify software levels on Ivanti, Palo Alto Networks PAN-OS, and Cisco IOS XE. Apply vendor remediations for CVE-2024-21887, CVE-2023-46805, CVE-2024-3400, CVE-2023-20198, and CVE-2018-0171.
• Review router configurations for unexpected ACL entries or new local users. Pay attention to ACL names like 10, 20, or 50 that appeared across cases.
• Audit management services. Look for SSH or HTTP(S) on high, non-default ports and confirm whether anyone on your team enabled them.
• Hunt for WSMA endpoint requests on Cisco IOS XE devices and check for over-encoded paths that match prior exploitation patterns.
• Inspect TACACS+ settings and shared secrets. Replace weak or exposed credentials and verify accounting servers and encryption settings match policy.
• Search for GRE or IPsec tunnels that lack change tickets, plus SPAN or ERSPAN configurations that do not align with documented monitoring plans.

No single control resolves the broader issue. Yet, in combination, these measures block the cluster’s routine techniques and give providers an auditable way to show control to peers concerned about cross-network exposure.

Links to Chinese companies and official responses

The advisory connects parts of the campaign to companies based in China, including Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology. It states those firms support state security and military customers with cyber products and services. 

Several allied governments have already taken policy actions against related entities this year. At the same time, Chinese authorities reject the allegations and question the evidence. The public exchange will continue, but network owners still need to harden devices and validate traffic flow regardless of politics.

Partners across Europe expressed support for the technical findings. Intelligence elements in Germany, Finland, and Italy added their names to the release.

Even when the most visible breaches hit foreign carriers, the control layer that links those carriers together runs through Dutch points of presence and Dutch-owned routing gear.

Defense officials confirm that Dutch teams shared indicators and defensive guidance with the companies involved, and with broader audiences that might run the same platforms.

The material aligns with the joint advisory and uses identical language for logging and hunting. Providers now have a common set of artifacts to search for, a shared understanding of how the actor cluster moves, and a realistic picture of what was seen on Dutch networks.

Our analysis shows the domestic risk concentrates at network edges where maintenance lags and bespoke configurations live. Smaller providers often run lean teams, inherit technical debt from past mergers, and face tight change windows from customers who cannot tolerate downtime. Good adversaries bet on those constraints. Dutch operators can push back by scheduling maintenance windows for edge gear, pruning public management exposure and establishing cross-checks with peering partners to validate routes and mirror settings.

The case also illustrates a broader feature of modern espionage. Intelligence services spread effort across many targets, not only prize carriers. An ISP with a few regional customers can still offer the same vantage point into a government office, a defense supplier, or a logistics network that supports military movement

The editorial team will keep tracking technical updates that affect Dutch networks and the wider European backbone. If agencies release more indicators or confirm deeper breaches inside Europe, we will adjust our guidance to match the new facts. Until then, the Dutch finding about router-level access at smaller providers sets the baseline for local impact, while the multinational advisory defines the campaign’s methods and the sectors most at risk from renewed probing.

---

REFERENCE SOURCES

1. https://nukib.gov.cz/en/infoservis-en/news/2293-nukib-nsa-and-other-u-s-agencies-warn-of-chinese-actor-salt-typhoon-compromising-networks-worldwide/
2. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4287371/nsa-and-others-provide-guidance-to-counter-china-state-sponsored-actors-targeti/
3. https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF
4. https://www.ic3.gov/CSA/2025/250827.pdf
5. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
6. https://therecord.media/dutch-intelligence-cyber-spies-salt
7. https://nltimes.nl/2025/08/28/chinese-hack-group-targets-dutch-internet-providers-intelligence-agencies-confirm
8. https://www.infosecurity-magazine.com/news/china-salt-typhoon-dutch-telcos/
9. https://thehackernews.com/2025/08/salt-typhoon-exploits-cisco-ivanti-palo.html
10. https://securityaffairs.com/181677/apt/dutch-intelligence-warns-that-china-linked-apt-salt-typhoon-targeted-local-critical-infrastructure.html
11. https://tweakers.net/nieuws/238510/kleine-nederlandse-providers-waren-volgens-aivd-doelwit-van-chinese-hackersgroep.html
12. https://therecord.media/dutch-intelligence-cyber-spies-salt
13. https://www.washingtonpost.com/technology/2025/08/27/fbi-advisory-china-hacking-expansion/
14. https://www.wsj.com/politics/national-security/chinese-spies-hit-more-than-80-countries-in-salt-typhoon-breach-fbi-reveals-59b2108f