A Chinese state-sponsored threat group, tracked as UNC3886, infiltrated multiple organizations’ Juniper Network routers, deploying custom backdoors to facilitate cyber-espionage activities. The attack, which Mandiant detailed in a March 12 blog post, suggests that many other organizations may also be compromised.
According to Mandiant, UNC3886 targeted Juniper MX routers that contain end-of-life (EOL) hardware and software—devices that lack advanced security monitoring tools like endpoint detection and response (EDR) agents.
“We’re aware of less than 10 confirmed victims at this time, but we suspect that other organizations will discover they were compromised as well,” said Charles Carmakal, CTO of Mandiant Consulting. He noted that detecting these intrusions is challenging because the affected routers do not support EDR solutions, making investigation a manual and complex process.
Who’s at Risk? ISPs and Telecom Providers Are Key Targets
While Mandiant has not disclosed the exact industries affected, researchers indicated that Internet service providers (ISPs) and telecom carriers are highly vulnerable. The Juniper MX Series routers targeted in this attack are carrier-grade devices, widely used by cloud providers and major ISPs.
This incident follows a series of high-profile breaches targeting U.S. telecom companies last year by China-backed groups, including Salt Typhoon and Volt Typhoon. However, Mandiant researchers stated they had not identified any technical overlaps between UNC3886 and these previous cyberattacks.
Mandiant’s investigation revealed that UNC3886 gained initial privileged access to Juniper routers through terminal servers used for managing network devices. The attackers used legitimate credentials to access these servers and infiltrate the Junos OS network operating system.
Tactics Used by Attackers
- Exploiting Authentication Services: The attackers replaced the TACACS+ authentication system with a backdoored version, allowing persistent access.
- Bypassing Junos OS Defenses: UNC3886 circumvented Veriexec, a kernel-based file integrity subsystem designed to block unauthorized executables. Instead of disabling Veriexec, attackers injected malicious code into the memory of a legitimate process, evading detection.
- Deploying the TinyShell Backdoor: After gaining root access, the group installed a customized version of the TinyShell backdoor, enabling covert command-and-control (C2) communication while disabling logging capabilities to cover their tracks.
Security Patch and Mitigation Measures
Following Mandiant’s findings, Juniper Networks issued a security advisory on March 12, warning users about the vulnerability (CVE-2025-21590). The flaw, described as an “Improper Isolation or Compartmentalization” issue in the Junos OS kernel, could allow privileged attackers to fully compromise affected devices.
Impacted Junos OS Versions:
- All versions before 21.2R3-S9
- 21.4 versions before 21.4R3-S10
- 22.2 versions before 22.2R3-S6
- 22.4 versions before 22.4R3-S6
- 23.2 versions before 23.2R2-S3
- 23.4 versions before 23.4R2-S4
- 24.2 versions before 24.2R1-S2, 24.2R2
Steps for Organizations to Secure Their Network
Juniper Networks recommends the following steps to mitigate the risk of compromise:
- Upgrade Juniper Devices – Ensure all Juniper routers are updated to patched Junos OS versions.
- Run the Juniper Malware Removal Tool (JMRT) – Perform a Quick Scan and Integrity Check after upgrading.
- Implement Secure Authentication – Use multifactor authentication (MFA) and limit access to critical devices.
- Enhance Network Monitoring – Deploy advanced threat detection and intrusion prevention systems.
- Strengthen Configuration Management – Enforce strict access controls and device lifecycle management.
UNC3886’s exploitation of routing devices reflects a growing cyber-espionage trend, where nation-state hackers target critical infrastructure to maintain long-term, high-level access. The long-term implications of these attacks include the potential for disruptive cyber operations in the future.
“The compromise of routing devices is a significant shift in cyber-espionage tactics. These attacks grant adversaries persistent access to critical network infrastructure, raising the risk of future cyber disruptions,” Mandiant researchers warned.
Juniper Network Response and Industry Collaboration
A Juniper Networks spokesperson confirmed the company’s commitment to cybersecurity, stating:
“Juniper Networks today published a security advisory in collaboration with Mandiant to address this vulnerability. We remain dedicated to responsible disclosure and actively work with industry partners and government agencies to counter emerging security threats. We encourage our customers to visit Juniper’s Customer Support Center to review the detailed advisory and product updates.”
This latest cyberattack highlights the urgent need for organizations to secure their networking infrastructure against state-sponsored threats. Given the critical role of ISPs, cloud providers, and telecom carriers, implementing robust security measures and regular system audits is essential to prevent future compromises.
As China-backed threat groups continue targeting U.S. infrastructure, companies must prioritize cyber resilience and adopt proactive security strategies to safeguard their networks.
