Chinese cyber groups, allegedly operating at the behest of or in close association with the Chinese government, have employed a diverse range of sophisticated tactics to target governments, steal intellectual property, and infiltrate critical infrastructure globally.

Their methods are designed for stealth, persistence, and to achieve strategic objectives.

Here's how they've allegedly carried out these operations:

Targeting Governments-

Chinese cyber groups target governments primarily for espionage, intelligence gathering, and influence operations.

• Cyber Espionage:

  • Data Theft: Stealing classified documents, diplomatic communications, military plans, and sensitive personal information of government officials and personnel (e.g., APT10 stealing data of over 100,000 U.S. Navy personnel). This provides Beijing with strategic insights and leverage.

  • Compromising Government Networks: Gaining long-term access to government systems to monitor activities, exfiltrate data, and potentially prepare for future disruptive actions.

  • Targeting Foreign Ministries: Groups like APT31 have been accused of sustained attacks on the unclassified networks of foreign ministries, such as the Czech Ministry of Foreign Affairs.

• Methods of Initial Access:

  • Spear-Phishing: Sending highly tailored emails with malicious attachments or links that appear legitimate (e.g., job vacancies, investment proposals from compromised university accounts) to government employees to gain initial access to their systems (e.g., Proofpoint's findings on attacks against Taiwanese semiconductor companies).

  • Exploiting Software Vulnerabilities: Rapidly exploiting newly disclosed or zero-day vulnerabilities in widely used software and network devices (e.g., Hafnium's exploitation of Microsoft Exchange Server vulnerabilities, APT41 using ProxyLogon, UNC3886 hacking Juniper, Fortinet, and VMware devices).

  • Supply Chain Attacks: Compromising software or hardware vendors to inject malware into products that are then used by government agencies.

  • Managed Service Provider (MSP) Exploitation: APT10 notably used MSPs as a stepping stone. By breaching an MSP's network, they could then pivot to access the networks of numerous government clients.

• Techniques for Persistence and Evasion:

  • Custom Malware and Tools: Deploying sophisticated custom-built malware (like backdoors and reverse shells) designed to evade detection.

  • Living Off the Land (LotL): Utilizing legitimate tools already present on compromised systems (e.g., PowerShell, Windows Management Instrumentation, Cobalt Strike) to blend in with normal network activity and avoid detection. Volt Typhoon is particularly known for this.

  • Establishing Footholds: Creating persistent access points, often by installing web shells or backdoors, to ensure continued access even if initial vulnerabilities are patched.

  • Evasion of Monitoring: Utilizing techniques like DLL sideloading and specific language pack checks (as seen with recent APT41 campaigns in Africa) to bypass security measures.

Stealing Intellectual Property (IP)

IP theft is a cornerstone of China's alleged cyber activities, aimed at accelerating its economic and military development.

• Targeted Industries: High-tech, pharmaceuticals, aerospace, defense, energy, manufacturing, semiconductors, telecommunications, and cutting-edge research institutions.

• What they steal: R&D data, blueprints, manufacturing processes, proprietary algorithms, trade secrets, business strategies, and even clinical trial data (e.g., Hafnium targeting COVID-19 researchers).

• Techniques:

  • Targeted Phishing: Similar to government targeting, but tailored to specific company employees with access to valuable IP.

  • Vulnerability Exploitation: Leveraging vulnerabilities in corporate networks, often in commonly used software or network devices.

  • Insider Threats (sometimes): While not exclusively cyber, China has also been accused of cultivating human sources within companies to aid in IP theft, sometimes in conjunction with cyber operations.

  • Supply Chain Compromise: Infiltrating technology providers to gain access to their clients' IP.

  • Managed Service Providers (MSPs): As seen with APT10, compromising an MSP provides a single point of entry to dozens or hundreds of client networks, vastly expanding the potential for IP theft.

  • Long-Term Persistence: Maintaining covert access to networks for extended periods (months or years) to continuously exfiltrate newly developed IP.

Infiltrating Critical Infrastructure-

This is perhaps the most concerning aspect of China's alleged cyber activities, as it carries the potential for significant real-world disruption and even physical harm.

• Targets: Energy grids, telecommunications networks, water treatment facilities, transportation systems, pipelines, and industrial control systems (ICS).

• Goal: Primarily pre-positioning for future disruptive or destructive attacks in the event of a geopolitical crisis (e.g., concerning Taiwan). This means gaining access and establishing persistent footholds that could be activated at a later date to cause outages or malfunctions.

• Groups and their methods:

  • Volt Typhoon (Volcano): Has been widely reported for its focus on pre-positioning within critical infrastructure in the U.S. and other nations. They utilize "living off the land" techniques to blend in with normal network activity, making them extremely difficult to detect. Their goal is to maintain long-term, covert access that could be used to disrupt communications between the U.S. and Asia or impede U.S. military mobilization.

  • UNC3886: Singapore recently accused this China-linked group of actively attacking its critical information infrastructure, including telecommunications. UNC3886 is known for exploiting zero-day vulnerabilities in routers and security devices (Juniper Networks, Fortinet, VMware) to establish long-term persistence in critical networks.

  • Salt Typhoon (RedMike): Accused of large-scale exploitation of Cisco equipment vulnerabilities (CVE-2023-20198 and CVE-2023-20273) in global telecommunications companies since late 2024. This allows them persistent control, potentially for eavesdropping or sabotage.

  • APT41: While also involved in espionage and financial crime, APT41 has targeted telecom and energy providers, among others, demonstrating an interest in critical infrastructure.

• Techniques:

  • Exploiting Edge Devices: Targeting internet-facing devices like routers, firewalls, and VPNs that are often less monitored than internal systems.

  • Supply Chain Compromise: Infiltrating equipment manufacturers or software providers that supply critical infrastructure components.

  • Operational Technology (OT) & Industrial Control Systems (ICS): While specific public accusations are less frequent, the long-term pre-positioning efforts suggest an interest in gaining access to the operational technology that directly controls industrial processes.

In essence, Chinese cyber groups employ a patient, persistent, and highly adaptable approach, constantly refining their tactics to evade detection while pursuing strategic objectives related to national security, economic advantage, and geopolitical influence.