Chinese spies have for months exploited old Juniper Networks routers, infecting the buggy gear with custom backdoors and gaining root access to the compromised devices.

According to a Tuesday report from Google Threat Intelligence and a Juniper Networks security advisory, the affected Juniper MX routers were running end-of-life hardware and software. Juniper issued a patch today to fix the issue.

A “China-nexus” espionage group that Google and its Mandiant consulting biz track as UNC3886 has been exploiting a Junos OS vulnerability since at least mid-2024, but the attacks were not made public until now.

Junos OS is Juniper Networks’ operating system and powers most of the vendor’s routing, switching, and security devices. It is based on a modified FreeBSD operating system.

“Mandiant Consulting was working closely with the victim organization and Juniper Networks on this investigation and providing Juniper Networks time to create mitigation tools and patches,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group, told The Register. 

The threat intel group won’t disclose the victim’s sector or region, but noted that typically UNC3886 targets defense, technology, and telecommunication organizations located in the US and Asia. When asked how many routers were compromised in the victim’s environment, Larsen said it was a “significant number of devices.”

Aside from maintaining a presence on the devices, Mandiant did not say what the snoops were hunting for in these intrusions. “Mandiant’s investigation did not observe evidence of data staging or exfiltration, so we can’t speculate on that,” Larsen said.

When asked how many organizations were hit by the Chinese intruders, Mandiant Consulting CTO Charles Carmakal said his team is “aware of less than ten at this time, but we suspect other organizations will discover they were compromised with this technique after we publish our findings.”

UNC groups are uncategorized groups that Mandiant can’t definitively classify as a nation-state crew or a financially motivated criminal gang.

“Mandiant has not identified any technical overlaps between activities detailed in this blog and those publicly reported by other parties as Volt Typhoon or Salt Typhoon,” according to the report.

UNC3886 has previously been caught exploiting critical VMware vCenter Server and ESXi hypervisor bugs, as well as a critical Fortinet flaw. The group also used custom networking malware to steal credentials and maintain network access.

Focus on long-term access

The Chinese spies remain focused “on maintaining long term access to victim networks,” the Google threat hunters said in the new report.

Juniper issued its own security alert on Tuesday. A spokesperson declined to answer specific questions about the scope of the attacks, but gave The Register the following statement:

Junos OS uses a kernel-based file integrity subsystem called Verified Exec (veriexec) to protect the operating system against unauthorized code. So to run malware, UNC3886 first had to bypass veriexec protection on the devices – but disabling this subsystem can trigger alerts.

“Mandiant’s investigation revealed that UNC3886 was able to circumvent this protection by injecting malicious code into the memory of a legitimate process,” according to the report.

Specifically, the spies gained privileged access to a Juniper router from a terminal server used for managing network devices using legitimate credentials. Then they accessed the FreeBSD shell from the Junos OS CLI.

From the shell environment, they used the “here document” feature to generate a base64-encoded file, which was then decoded and used to extract malicious binaries.

Mandiant said it identified six distinct malware samples across multiple Juniper MX routers. Each is a modified version of the C-based TINYSHELL backdoor, incorporating its core functionality, such as remote file upload and download, while adding unique capabilities.

Here are the malware samples (and we highly encourage you to read Mandiant’s technical analysis of all six):

1. appid – active backdoor, mimicking a legitimate binary named appidd (Application Identification Daemon)
2. to – active backdoor, mimicking a legitimate binary named top (Table of Processes)
3. irad – passive backdoor, mimicking a legitimate binary named irad (Interface Replication and Synchronization Daemon)
4. Lmpad – utility and passive backdoor, mimicking a legitimate binary named lmpd (Link Management Protocol Daemon)
5. jdosd – passive backdoor, mimicking a legitimate binary named jddosd (Juniper DDOS protection Daemon)
6. oemd – passive backdoor, mimicking a legitimate binary named oamd (Operation, Administration and Maintenance Daemon)

Meanwhile, Mandiant says that UNC3886 continues to use similar techniques and malware, as described in an earlier report. But “while UNC3886 previously focused their operations on network edge devices,” the report authors note, the new activity “demonstrated they’re also targeting internal networking infrastructure, such as Internet Service Provider (ISP) routers.” ®