At least once or twice a year I like to sift through the Cybersecurity and Infrastructure Security Agency (CISA) alerts and share some of the latest with SmarterMSP.com. The end of summer is one of the best times to do that because people are just settling back into their regular routines. And, sure enough, CISA has plenty for managed service providers (MSPs) to focus on.
Remember when we used to worry about teenagers in hoodies breaking into networks for fun? Those days feel quaint now. This month’s batch of CISA alerts reads like a geopolitical thriller, complete with Chinese state-sponsored hackers, Russian intelligence operatives, and enough vulnerabilities to make your head spin. Let’s dive into what’s been rattling the cybersecurity world.
The big story: A global espionage network gets exposed
The marquee story this month was CISA’s joint advisory with the NSA, FBI, and over a dozen international partners about Chinese state-sponsored hackers running what amounts to a global surveillance operation. They’re calling it AA25-239A, but you might know these bad actors by their industry nicknames: Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor.
Here’s what makes this different from your typical ransomware crew: these aren’t criminals looking for a quick payday. This is an intelligence apparatus conducting long-term espionage campaigns that have been running since at least 2021. They’re not smashing and grabbing—they’re moving in quietly, setting up shop, and staying for the long haul. So if it feels like someone’s watching, you might not be wrong.
Their favorite targets? Telecommunications companies, government agencies, transportation systems, hotels, and military infrastructure. In short, any environment where communications can be intercepted and movements tracked.
How they’re getting in: They love targeting the big backbone routers that telecommunications companies use—those provider edge and customer edge routers that often fly under the security radar. Once they’re in those devices, they can pivot into trusted networks and start collecting sensitive communications.
For MSPs, this is a wake-up call. If your clients are in any of these sectors, or if they’re using equipment from companies that might be compromised, it’s time for some serious network hygiene. The advisory calls out several high-priority CVEs that these groups love to exploit:
- CVE-2024-21887 (Ivanti Connect Secure command injection)
- CVE-2024-3400 (Palo Alto Networks PAN-OS vulnerability)
- CVE-2023-20273 and CVE-2023-20198 (Cisco IOS XE vulnerabilities)
These aren’t new vulnerabilities, but they’re still being actively exploited because organizations haven’t patched them. If you’re managing networks for clients, these should be at the top of your remediation list.
Russians targeting western logistics
As if Chinese state-sponsored hackers weren’t enough, CISA also issued an advisory about Russian GRU unit 26165 (also known as APT28 or Fancy Bear) targeting Western logistics companies and tech firms involved in supporting Ukraine.
This campaign has been running since 2022, and it’s exactly what you’d expect from state-sponsored espionage: password spraying, spear-phishing, and modifying Microsoft Exchange mailbox permissions to maintain persistent access. The Russians are particularly interested in companies coordinating, transporting, and delivering foreign assistance to Ukraine.
If your MSP clients include logistics companies or tech firms with any connection to international aid efforts, they need to be extra vigilant. The advisory recommends increasing monitoring for suspicious authentication attempts and implementing strong email security measures.
Microsoft Exchange gets another emergency directive
Speaking of Microsoft Exchange, CISA issued emergency directive 25-02 in response to a high-severity vulnerability (CVE-2025-53786) affecting hybrid Exchange deployments. This one’s particularly severe because it allows attackers with administrative access to an on-premises Exchange server to escalate privileges and potentially compromise the entire Exchange Online environment.
While Microsoft says there’s no observed exploitation yet, CISA isn’t taking chances. They’ve mandated that federal agencies implement Microsoft’s guidance immediately. For MSPs managing hybrid Exchange environments, this should be treated with the same urgency.
CISA’s Known Exploited Vulnerabilities (KEV) catalog continues to expand, with numerous additions this month alone. You might want to check those out too, but I won’t dive into them here, otherwise, this would turn into a book.
Industrial control systems under fire
CISA released a flood of Industrial Control System (ICS) advisories this month—32 on August 14th alone, followed by more throughout the month covering everything from Siemens industrial systems to Mitsubishi air conditioning controls.
While ICS vulnerabilities might seem niche, they’re increasingly relevant as more industrial systems connect to corporate networks. If your MSP serves manufacturing, utilities, or other industrial clients, these advisories deserve attention.
What this means for MSPs
The common thread running through all these alerts is that sophisticated threat actors—whether state-sponsored or criminal—are getting more patient and persistent. They’re not looking for quick hits; they’re establishing long-term access to networks and maintaining it for months or years.
For MSPs, this means:
Network visibility is key. You can’t defend against what you can’t see, and these advanced actors are specifically targeting infrastructure devices that often lack proper monitoring.
Patch management isn’t optional. The fact that decades-old vulnerabilities are still being exploited shows that many organizations are failing at basic hygiene.
Segmentation matters. When these groups get in, they spread laterally. Proper network segmentation can contain the damage.
Authentication is everything. Multifactor authentication and proper credential management can stop many of these attacks in their tracks.
The good news for MSPs is that all these government alerts are essentially free threat intelligence. CISA is doing the heavy lifting of tracking these advanced threat groups and sharing their tactics, techniques, and procedures. The challenge is translating that intelligence into actionable security improvements for your clients.
As one security expert told me recently, “We’re not just fighting cybercriminals anymore—we’re dealing with nation-state intelligence operations with unlimited budgets and years to plan.” That might sound overwhelming, but it’s also an opportunity for MSPs who can help their clients rise to meet this challenge.
Photo: PeopleImages-Yuri+A / Shutterstock
This post originally appeared on Smarter MSP.