{"id":2198,"date":"2025-03-05T06:58:01","date_gmt":"2025-03-05T06:58:01","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2198"},"modified":"2025-03-05T06:58:01","modified_gmt":"2025-03-05T06:58:01","slug":"chinese-cyber-espionage-growing-across-all-industry-sectors","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2198","title":{"rendered":"Chinese cyber espionage growing across all industry sectors"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security researchers are warning of a significant global rise in Chinese cyberespionage activity against organizations in every industry.<\/p>\n

Over the course of 2024, researchers from security firm CrowdStrike observed a 150% average increase in intrusions by Chinese threat actors worldwide, with some sectors experiencing two- to three-fold surges. Researchers at the firm also identified seven new Chinese-origin cyberespionage groups in 2024, many of which exhibited specialized targeting and toolsets.<\/p>\n

\u201cThroughout 2024, China-nexus adversaries demonstrated increasingly bold targeting, stealthier tactics, and more specialized operations,\u201d CrowdStrike stated in its 2025 Global Threat Report<\/a>. \u201cTheir underlying motivation is likely China\u2019s desire for regional influence, particularly its goal of eventual reunification with Taiwan, which could ultimately bring China into conflict with the United States.\u201d<\/p>\n

The report also highlighted that Chinese groups continue to share malware tools \u2014 a long-standing hallmark of Chinese cyberespionage \u2014 with the KEYPLUG backdoor serving as a prime example. China-linked actors also displayed a growing focus on cloud environments for data collection and an improved resilience to disruptive actions against their operations by researchers, law enforcement, and government agencies.<\/p>\n

A sign of China\u2019s maturing cyber capabilities<\/h2>\n

CrowdStrike attributes China\u2019s increasingly dominant position in global cyberespionage to a decade of strategic investments, following General Secretary Xi Jinping\u2019s 2014 call for the country to become a cyber power.<\/p>\n

These efforts include investments in university programs to cultivate a highly skilled cyber workforce; private sector contracts to provide People\u2019s Liberation Army (PLA), Ministry of Public Security (MPS), and Ministry of State Security (MSS) cyber units with skilled operators and infrastructure; running domestic bug hunting and capture-the-flag competitions to fuel exploit development programs; and industry networking events where PLA and MSS cyber operators obtain unique tools and tradecraft.<\/p>\n

\u201cIt is highly likely that these investments have led to greater operational security (OPSEC) and specialization in China-linked intrusion operations,\u201d the researchers noted. \u201cAdversaries are pre-positioning themselves within critical networks, supported by a broader ecosystem that includes shared tooling, training pipelines, and sophisticated malware development.\u201d<\/p>\n

New cyber operations in key sectors<\/h2>\n

Historically, Chinese cyberespionage groups have predominantly targeted organizations from the government, technology, and telecommunications sectors and that continued in 2024. Government orgs were a target for China-linked threat actors in virtually all regions of the world, and Salt Typhoon, a cyber unit tied to China\u2019s MSS, made headlines in recent months<\/a> after compromising major telecom and ISP networks in the US, with this type of targeting also common in Asia and Africa.<\/p>\n

But it was financial services, media, manufacturing, industrials, and engineering that saw the biggest surges in China-linked intrusions last year \u2014 200-300% growth rates compared to 2023. Overall, the number of intrusions and new Chinese cyberespionage groups grew across the board.<\/p>\n

Three Chinese groups that CrowdStrike tracks as Liminal Panda, Locksmith Panda, and Operator Panda seem specialized in targeting and compromising telecommunications entities.<\/p>\n

Liminal Panda in particular has demonstrated extensive knowledge of telecom networks and how to exploit interconnections between providers to move and initiate intrusions across various regions. Locksmith Panda seems more focused on Indonesia, Taiwan, and Hong Kong, with targeting that is more broad, extending to technology, gaming, and energy companies, as well as democracy activists.<\/p>\n

Operator Panda, which seems to be CrowdStrike\u2019s name for the group known as Salt Typhoon, specializes in exploiting internet-facing appliances such as Cisco switches. In addition to telecom operators, the group has also targeted professional services firms.<\/p>\n

Vault Panda and Envoy Panda are two groups that target government entities, but whereas Vault Panda is broad in its targeting, also going after financial services, gambling, technology, academic, and defense organizations, Envoy Panda seems focused on diplomatic entities, especially from Africa and the Middle East.<\/p>\n

Vault Panda has used many malware families shared by Chinese threat actors, including KEYPLUG, Winnti, Melofee, HelloBot, and ShadowPad. The group regularly exploits vulnerabilities in public-facing web applications to gain initial access. Meanwhile Envoy Panda is known for its use of Turian, PlugX, and Smanager. PlugX, aka Korplug, is one of the oldest remote access trojans used by China-linked cyberespionage groups, with original versions dating back to 2008.<\/p>\n

Another commonly shared resource between Chinese threat groups are so-called ORB (Operational Relay Box) networks<\/a> that consist of thousands of compromised IoT devices and virtual private servers that are used to route traffic and conceal espionage operations. These networks are similar to botnets, but are primarily used as proxies, and are often administered by independent contractors that are based in China. They complicate attribution due to the often short-lived nature of the IP addresses of the nodes being used.<\/p>\n

\u201cDespite law enforcement attempts to disrupt the ORB networks, China-nexus adversaries continue to use these resources as a key part of their operations,\u201d the CrowdStrike researchers wrote.<\/p>\n

Better identity management and adversary-centric patching<\/h2>\n

Some of most common intrusion methods last year were compromised credentials, misconfigurations, and unpatched vulnerabilities in public-facing assets, whether web applications or network appliances.<\/p>\n

Simply relying on multi-factor authentication is not enough<\/a> to prevent complex breaches that rely on social engineering and impersonation to exploit existing relationships. Organizations need to use conditional access policies, regularly review account activity, and monitor for signs of unusual user behavior that could indicate a compromised account.<\/p>\n

Furthermore, attackers are quick to adopt new techniques and proof-of-concept exploits from technical blogs and combine them in multi-stage attack chains. Vulnerabilities in internet-facing systems should be prioritized, as well as flaws that have publicly known exploits or are known to be actively exploited by threat groups targeting your industry, even if they don\u2019t have the highest severity scores.<\/p>\n

\u201cMonitoring for subtle signs of exploit chaining, such as unexpected crashes or privilege escalation attempts, can help detect attacks before they progress,\u201d the researchers wrote.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security researchers are warning of a significant global rise in Chinese cyberespionage activity against organizations in every industry. Over the course of 2024, researchers from security firm CrowdStrike observed a 150% average increase in intrusions by Chinese threat actors worldwide, with some sectors experiencing two- to three-fold surges. Researchers at the firm also identified seven […]<\/p>\n","protected":false},"author":0,"featured_media":2199,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2198","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2198"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2198"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2198\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2199"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2198"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2198"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2198"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}