Why China Represents a Different Class of Cyber Risk
They Emphasize Long-Term Access, Not One-Time Attacks
The People’s Republic of China (PRC) operates the most persistent and structurally complex state-sponsored offensive cyber ecosystem in the world. It’s optimized for scale, deniability, and longevity.
Unlike adversaries focused on disruption or financial gain, Chinese cyber operations emphasize:
- Long-term, covert access over immediate impact
- Infrastructure and supply-chain compromise over endpoints alone
- Strategic patience measured in years, not days
Their Strategic Goals Equate to Increased Enterprise Risk
China’s cyber operations consistently align to three national priorities that translate directly into enterprise risk:
- Technology & Economic Advantage: Persistent theft of intellectual property and sensitive research to accelerate domestic innovation.
- Military Readiness & Crisis Leverage: Pre-positioned access in telecommunications and infrastructure to enable future intelligence dominance or disruption.
- Political Stability & Influence: Surveillance and influence operations that extend beyond borders into diaspora, media, and policy communities.
These objectives explain why Chinese intrusions often remain dormant, quietly embedded until strategic conditions change.
Organizational Architecture of PRC Cyber Operations
China’s cyber power is distributed across four key state entities, each with distinct mandates and operational styles. This fragmentation complicates attribution and defense while maximizing resilience and scale.
Ministry of State Security (MSS): Strategic Espionage
The MSS is China’s primary civilian intelligence service and the engine behind large-scale cyber espionage.
Key Focus Areas:
- Intellectual property and technology theft
- Political and economic intelligence
- Counter-intelligence and dissident monitoring
Why It Matters:
MSS operations are highly persistent, often leveraging provincial bureaus and contractors to maintain long-term, low-noise access across global enterprises..
People’s Liberation Army (PLA) & Strategic Support Force (SSF): Cyber Warfare
The PLA & SSF integrate cyber, space, electronic, and psychological warfare.
Key Characteristics:
- Minimal outsourcing
- High operational security
- Focus on wartime pre-positioning
Why It Matters:
PLA-linked intrusions often target infrastructure-level systems, treating peacetime access as preparation for future conflict.
Ministry of Public Security (MPS): Surveillance at Scale
The MPS supports domestic stability and transnational surveillance, relying heavily on contractors.
Key Characteristics:
- High-volume operations
- Regional targeting
- Variable operational discipline
Why It Matters:
MPS activity creates widespread exposure and noisy signals that may mask deeper, more strategic compromises.
United Front Work Department (UFWD): Influence & Coercion
The UFWD coordinates political influence and repression efforts, tasking cyber-capable partners to execute operations.
Targets Include:
- Diaspora communities
- Journalists
- Activists
From Espionage to Pre-Positioning: A Strategic Shift in Chinese Cyber Operations
Recent campaigns indicate a clear evolution in Chinese cyber strategy where access itself has become the objective. Rather than focusing exclusively on endpoint compromise, PRC actors increasingly target:
- Backbone routers
- Telecommunications infrastructure
- Network management systems
Why This Matters:
- Trusted-path compromise bypasses traditional perimeter defenses.
- Infrastructure access enables massive visibility
- Firmware-level persistence allows multi-year dwell time
Who are the main Chinese cyber threat groups?
In the same way China distributes its cyber powers across several state entities, it also distributes its activities across a number of threat actors to further complicate attribution and defense while maximizing resilience and scale.
The “Big Three” Infrastructure Actors
These groups are currently the highest priority for global defense because they focus on long-term access to critical systems (e.g., power, water, telecom) rather than just stealing files.
- Volt Typhoon (Vanguard Panda / BRASS TYPHOON):
- Focus: U.S. and Allied critical infrastructure (energy, water, transportation).
- Strategy: Living off the Land (LOTL). They rarely use custom malware; instead they use legitimate administrative tools already on the system (like PowerShell or WMI) to remain invisible.
- Current Status (2026): Despite massive “takedown” efforts in 2024-2025, they remain embedded in SOHO routers and edge devices, creating a “mesh” network of compromised home office equipment to hide their traffic.
- Salt Typhoon:
- Focus: Global telecommunications and managed service providers (MSPs).
- Strategy: They target the “backbone” of the internet. By compromising major telecommunications providers, they gain indirect access to the communications of government and corporate targets without ever touching the victim’s actual network.
- Flax Typhoon (RedJuliett):
- Focus: Government agencies and high-tech industries in Taiwan, South Korea, and the US.
- Strategy: Known for maintaining massive botnets (estimated at over 260,000 devices) composed of compromised IoT devices and routers to launch and hide their operations.
The Multi-Mission Espionage Groups
These groups are the “workhorses” of Chinese intelligence, often blending state-sponsored espionage with financially motivated cybercrime.
- APT41 (Double Dragon / BRASS TYPHOON / MISSION2025):
- Specialty: Software supply chain attacks and zero-day exploitation.
- 2026 Activity: They have recently been observed exploiting Chrome V8 engine and Ivanti EPMM vulnerabilities. They are famous for a “day job” of state espionage and a “night job” of hacking video game companies or cryptocurrency for personal profit.
- Mustang Panda (Bronze President / RedDelta):
- Focus: Diplomatic and government entities, particularly those involved in South China Sea policy and the “Belt and Road” initiative.
- Strategy: Massive spear-phishing campaigns using decoy documents related to regional summits (ASEAN, EU-China relations).
- APT10 (Cicada / Stone Panda):
- Focus: Global MSPs.
- Strategy: One of the oldest groups, they “leapfrog” from service providers into the networks of their actual targets (law firms, tech companies, and refineries).
 | Learn more about how Salt Typhoon has been quietly infiltrating critical infrastructure worldwide by exploiting outdated routers, weak credentials, and living-off-the-land (LOTL) techniques in this episode of the Cyber Resilience Brief podcast. |
What techniques do Chinese cyber actors use?
Across Chinese state-sponsored campaigns, defenders repeatedly observe:
- Extensive reconnaissance-driven phishing
- Supply-chain and MSP compromise
- Living-off-the-land (LOTL) persistence
- Minimal reliance on bespoke malware
- Abuse of trusted infrastructure for C2 and movement
The emphasis is durability and stealth—not speed.
What industries do Chinese cyber actors target?
Chinese state-sponsored threat actors have systematically focused on compromising organizations in sectors like:
- Critical Infrastructure
- Telecommunications
- Healthcare
- Government & Military Networks
- Technology & Manufacturing
- Transportation
Their operations increasingly focus on exploiting backbone routers and trusted interconnections. In some campaigns, they modify infrastructure for long-term access and to support large-scale intelligence collection and surveillance objectives.
What major cyber campaigns are linked to China?
Chinese state-sponsored actors have been conducting global campaigns since at least 2021, leveraging both state-linked front companies and compromised network devices.
BrickStorm Malware
Designed for durability and stealth, BrickStorm malware is a sophisticated backdoor leveraged in VMware vSphere and Windows environments to achieve long-term persistence, perform credential theft, exfiltrate data, and conduct stealthy command-and-control operations.
To achieve this, it:
- Blends its traffic with legitimate HTTPS/WebSocket activity
- Uses DNS-over-HTTPS for C2 discovery
- Employs multiple persistence mechanisms, including modifying VMware init scripts and self-watching process logic
- Includes SOCKS proxy functionality for lateral movement and full file-system manipulation.
Ghost (Cringe) Ransomware
Focused primarily on financial gain, the Ghost ransomware variant uses publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to Internet-facing servers that are running outdated versions of software and firmware.
To complicate attribution, Ghost actors are known to:
- Use numerous ransom email addresses
- Rotate their ransomware executable payloads
- Switch file extensions for encrypted files
- Modify ransom note text
How can organizations defend against Chinese cyber operations?
While Chinese state-sponsored threat actors are stealthy, there are early warning signs and recurring patterns that defenders can monitor for to identify PRC activity:
- Unexpected network device configuration changes
- Firmware anomalies or unexplained reboots
- Lateral movement originating from service providers
- Long-term credential reuse
- Administrative tool abuse over malware deployment
No single signal is decisive, but correlation over time is critical.
What This Means for CISOs
China’s cyber model invalidates many traditional security assumptions:
- Perimeter defenses cannot protect trusted infrastructure paths
- Point-in-time assessments miss long-dwell adversaries
- Third-party and network-layer exposure often exceeds direct enterprise risk
Most critically, Chinese actors plan on being inside environments before a crisis begins.
For CISOs, the strategic question shifts from “Are we secure?” to: “Can we prove that our controls would actually stop or expose a real-world attack path by these threat actors today?”
This requires continuous, evidence-based validation — not assumptions based on having controls deployed.
Learn more about President Trump’s 2026 Cyber Strategy and why it signals a massive shift from reactive defense to proactive, offensive cybersecurity to better defend against state-sponsored threat actors.
Turning Threat Intelligence Into Measurable Resilience
Threat intelligence about Chinese threat actors explains who the adversary is, but it does not reveal whether your organization is exposed to the threat they pose.
SafeBreach helps CISOs answer the questions that matter:
- Could Chinese state-sponsored threat actors move laterally in our environment today?
- Would infrastructure-level access be detected?
- Where do controls fail silently over time?
By safely emulating real TTPs of Chinese state-sponsored threat actors, SafeBreach enables organizations to:
- Validate detection and response against nation-state techniques
- Expose hidden attack paths across hybrid environments
- Prioritize remediation based on proven risk
This is how intelligence becomes defensible, board-level cyber resilience—before dormant access turns into active impact.
