Alessio Stefan : 8 September 2025 08:19
The post-COVID macro political movements, including ongoing conflicts, have prompted a majority of states to shift their medium- to long-term political objectives. Clearly, a paradigm shift has been very common in the war sector, with Europe attempting to shift some of its member states’ resources, and the United States increasingly adopting a highly protectionist economic stance, using tariffs as a means of reducing trade deficits with key countries, including China.
The recent decisions taken by POTUS Donald Trump regarding the Chinese economic entity are nothing more than the continuation of decisions taken in the first mandate of 2018 which was accused by the CCP leaders of wanting to perpetuate nationalistic protectionism by damaging the relations between the two countries. [1]. Russia’s decisions have also immediately raised a question mark over China’s position regarding the Ukrainian invasion, given the lukewarm position of Xi Jinping and his representatives. [2].
The Chinese silence is becoming increasingly deafening, creating a sort of embarrassment among those present who prefer to avoid drawing too much attention to this Eastern state that is behaving strangely calmly in the midst of this series of global events we are all witnessing.
While it’s true that Jinping prefers listening to the typical communication methods of Western leaders (e.g., press conferences, public statements, and positions), this doesn’t imply a lack of clarity about the direction his country has decided to take (note that clarity is not synonymous with transparency). Xi Jinping has stated on several occasions that he wants China to become a “cyber superpower” [3], with results so far consistent with his intentions.
For the US, China is a silent and cumbersome presence that has been present since 2013 [4] It has made digital space a domain of significant importance for dominating its competitors (primarily Western countries). Control of these areas is shifting in a manner related to, but independent of, the territory we consider traditional. Even in times of peace, China has always been active in the global internet in various forms.
These forms are not to be understood solely as APT collectives or purely offensive entities; China has always offered an alternative to Western tech products such as phones, computers, IoT devices, and, more recently, robotics. This market growth has allowed for increased capabilities to collect, send, and analyze data, even (or rather, especially) for Western and non-Western citizens. [5][6][7].
China presents itself to the world as a new hub of innovation and efficiency while developing its sophisticated, persistent, and offensive digital profile. To fully understand Chinese threats, one must understand the country’s various aspects, mechanisms, and components. The People’s Republic of China (PRC) is considered a cyber threat veteran, having been present since 2002 with APT1 (attributed to PLA Unit 61398) [8], in this article, we will explore the Chinese threat ecosystem and how it has evolved over time.
How did we go from simple declarations to a specialized and active operational apparatus like the Chinese one?
The brevity of this type of question risks overlooking important aspects of defining China’s threats, its capabilities on the ground, and its victimology. To gain the correct understanding, we must analyze China as a whole; this task is neither simple nor straightforward. Nevertheless, we can start from China’s economic model to model a seemingly closed and opaque scenario.
Aside from the simplified definitions that equate “China = Communism” (the name of the ruling party is easily confusing), if we really want to assign a label to China today, “Socialism” is the most appropriate. Xi Jinping has sought to promote innovation in his economic model, identifying public-private cooperation as a lever to increase GDP and the purchasing power of its citizens. In short, the CCP identifies itself as a communist organization, but its policies are shifting toward a “modernized” socialism to address current challenges.
The PRC is implementing a shift from an economy centered on the export of goods to one based on domestic consumption by encouraging a circular model in the movement of money/goods [9].
In this (specific) economic model, companies exist thanks to subsidies and government interventions, while leaving decision-making freedom to private individuals. This vibrant environment is accompanied by a series of companies owned/participated by the Chinese government and by an equal number of mixed scenarios. The CCP also controls market access, and to join, one must be aligned with the established objectives by consolidating public-private partnerships.
The CCP contains approximately 7% of the Chinese population (+100 million) allowing it to include different archetypes of the country’s socio-economic fabric. Furthermore, the line between state and private ownership is becoming increasingly blurred thanks to a law that must allow the state to insert CCP “cells” (or which explicitly carry out party activities) within private companies (including foreign ones but based in China), leaving a question mark on the role of the latter. [10][11][12][13][14].
A second (but not secondary) aspect of the Chinese economy is the Five-Years Plan, a series of initiatives, proposals, and plans for economic and social development released by the CCP every five years. This methodology and planning dates back to 1953, and the current plan (2021-2025) is the 14th in the history of the PRC (People’s Republic of China). To avoid being verbose, we won’t cover the entire contents of the Five-Year Plan and will simply provide a high-level overview.
The five-year document contains the responsibilities and positions that the government will have to face during the period in question, as well as a blueprint on the country’s economic and development flows. [15][16][17]. Exploring this plan fully (as much as possible) and correlating it with Chinese APT campaigns abroad allows us to sort out and clarify the organization of these threats and their implication for potential asset-specific attack predictions [18].
China’s 12th Five-Year Plan focused on restructuring domestic demand by introducing social welfare funds to boost domestic flows and ensure stability in domestic demand. Particular attention should be paid to the CCP’s desire to create a technology industry that could make China independent of imports of foreign technological components. For this reason, the ICT sector was included in the list of “7 Strategic Emerging Industries,” incentivizing the creation of cloud systems, integrated circuits, software, and broadband distribution to the public and businesses. [19][20].
During this historical period, China has succeeded in narrowing the gap with other world powers in this specific sector by seeking to project this new knowledge into the years to come. The seven key sectors of the 12th Five-Year Plan are as follows:
The first actor to appear is APT41 (a.k.a. Double Dragon, Winnti; active since 2011/2012) [21] with campaigns to Western companies belonging to the video game sector [22]. This first part of the campaign aimed to steal certificates from companies such as KOG, Neowiz (South Korea), and YNK (Japan). The certificates were then used to sign malware executables used by the APT itself and other Chinese actors. The certificates were then used to sign malware executables used by the APT itself and other Chinese actors [23]. In its embryonic phase, APT41 provided the lifeblood to take Chinese offensive campaigns to the next level.
This initial period (1-2 years) of continued focus on the gaming industry (including publishers and developers), which continued at least until 2014, also led to the compromise of machines containing source code for products in production, payment systems, supply chain compromises and, in some specific cases, even the deployment of ransomware (we’ll cover this in more detail later in the article).
Since 2013, Double Dragon has launched full-scale espionage operations in the high-tech, pharmaceutical, healthcare, energy, and government sectors in at least 14 different countries. This APT has focused heavily on the ICT and high-tech sectors with the ultimate goal of gaining access to individual and industrial property in this sector. More than 100 companies in the telecommunications, technology, and healthcare sectors have been impacted by APT41 campaigns during this period.
Also in 2013, another Chinese offensive entity joined to support the ongoing Five-Year Plan with similar objectives to Double Dragon, APT40 [24] (a.k.a Leviathan; formed around 2009) played an important role in actions on strategically relevant countries for the Belt & Road Initiative (BRI/B&R) [25] That is, the trade development plan signed by China in 2013, which aimed to create infrastructure connecting China, Central Asia, and Europe via land and sea. According to China, the BRI was intended to foster and encourage trade agreements, logistical improvements, and cultural exchanges between the countries in question. This geopolitical initiative was clearly part of China’s 12th Five-Year Plan, and Leviathan played a key role in digitally controlling the areas in question.
During this period, APT40 heavily targeted the maritime sector, which can be divided into two main macro areas: R&D and the maritime shipping industry. This focus has continued even in the years following this specific Five-Year Plan. [26][27]. These types of campaigns also focused on stealing strategically and logisticalally sensitive information. More specifically, this APT carried out offensive operations in the South China Sea, a region crossed by a third of global goods. [28].
Interestingly, this geographical area had become a subject of political and military tensions which led China and the ASEAN countries to sign a conduct agreement which aimed to avoid behaviors that could lead to escalation by promoting peaceful resolutions (2002). [29]. Through APT40, China has found a gray area (or at least an “acceptable” one to avoid creating tensions between the countries in question) in which to carry out espionage operations, giving them an advantage over the ASEAN countries.
These operations allowed for a potentially extremely significant strategic advantage by understanding maritime trade routes, the type of goods transported, and pricing tactics. Having access to this type of information enables economic and political decisions that can manipulate and influence maritime trade to one’s advantage (which, remember, comprises approximately 80% of the goods transported in world trade). Not surprisingly, in 2015, China’s maritime sector, thanks to the 12th Five-Year Plan, grew significantly [30] playing a key role for China and its trading allies.
As regards the maritime R&D sector, several universities, engineering and maritime defence bodies [31][32] have fallen victim to Leviathan, providing the APT with files and data useful for the construction of both military and non-military naval vessels. China’s military power must rely on its navy for both its political (e.g., Taiwan, the US presence on the coasts of the South China Sea) and economic interests. During this period, the Chinese navy has surpassed (in numbers) the US, allowing it to have a greater presence in the blue territory. [33][34].
Again, according to US sources [35], APT40 would have in this period begun to be interested in extracting commercial secrets of a health nature, also concerning genetic sequencing techniques.
Finally APT1 [36] (a.k.a. Unit61398; first observed in 2002) played a more aggressive role in the US, impacting approximately 141 organizations across 20 different sectors (according to CISA). [37]. ASince 2013, APT1 has stolen terabytes of data from organizations in the automotive sector (particularly information on the development of electric and hybrid vehicles), information technology, biotechnology, medical equipment, environmentally friendly technologies, and other products covered by the 12th Five-Year Plan.
According to incident response investigations, Unit61398 managed to maintain persistence within networks for at least 365 days while transferring large amounts of data to servers under their control. Most of APT1’s victims (total) are English-speaking (or have their headquarters in) countries.
To conclude this first (sub)section, we cannot fail to mention the meeting between Xi Jinping and Obama in 2015 which ended with an agreement between the two countries to cease any digital offensive operation on their respective territories. [38][39], Specifically, the two countries promised each other to prohibit the theft of intellectual property. In April 2015, an unidentified Chinese APT allegedly penetrated the defenses of the Office of Personnel Management (OPM) [40][41] obtaining information on some U.S. federal staff.
Prior to this specific Five-Year Plan, a Chinese digital espionage operation was already underway targeting several countries in Asia (including China) and the United States. Operation Iron Tiger dates back to 2010, where (according to investigations) it targeted victims in the education and government/political sectors of several Asian countries. Since 2013, the same actors have shifted their focus to the US, targeting the Energy, Technology, Telecommunications, and Manufacturing sectors, aligning with China’s ongoing economic self-sufficiency plan.
According to analysts, the shift in victimology was quite clear, with an approach that emphasized quality over quantity and heavy use of social engineering. The victims shared the fact that they were large companies with ties to the US government for defense, aerospace, and energy projects. The actor behind this meticulous operation was APT27 (a.k.a. Emissary Panda), which first appeared in the early stages of Iron Tiger in 2010.
In addition to the now obvious exfiltration of intellectual property, the post-initial access phases included obtaining emails, planning and financial documentation, and everything related to budget allocation. The amount of data obtained is on the scale of terabytes, which, in the hands of the right companies, had significant potential in terms of economic competition.
China’s 13th FYP (Five-Year Plan) has marked a further turning point for the Chinese economic model, focusing on qualitative as well as quantitative growth. The “Made in China 2025” strategic plan [42], igned in May 2015 and highlighted as a key factor for the country’s future, it was implemented to strengthen Chinese industries and renew the model based (until now) on low-cost labor. Chinese industries needed to integrate into a modern market that focused on domestic demand (e.g., urban planning) to fulfill the country’s new industrial independence.
In addition to the 7 industries identified by the previous plan, 5 strategies have been signed for the period 2016-2020:
In addition to the previous ones, new industries have been subjected to state incentives in order to achieve these objectives, including :
Despite the 2015 China-US agreement, APT40 continued its activities against the maritime sector by continuing to obtain raw data on foreign states’ shipbuilding and maritime trade treaties.
APT10 [43][44] (a.k.a Stone Panda, Red Apollo; first appearance within 2003 and 2006) increased its capacity and operational infrastructure in 2016. In the second half of the same year, Stone Panda started the operation later called Cloud Hopper [45][46].
APT10 compromised several MSPs (Managed Service Providers, third-party companies that maintain companies’ IT services, allowing them to focus on their core business) and cloud services, allowing them to access multiple organizations with a single intrusion. After the intrusions, the attackers filtered out the organizations supported by the companies in question, focusing on the following sectors:
The targeted countries were the USA, Canada, Brazil, Australia, South Africa, Sweden, Switzerland, the Nordic countries, France, the UK, India, South Korea, and Japan. Japan, in particular, also received direct operations without third parties, using pretexts and ad-hoc decoy files. As is now clear, the operators infiltrated the networks of their intended victims using MSP/Cloud Services access to exfiltrate data, intellectual property, and trade secrets. According to analysts, APT10 had access to potentially thousands of victims thanks to this operational tactic.
Cloud Hopper operators carefully selected the files to be exfiltrated, avoiding a hasty approach. Customer/private citizen data was not affected, prioritizing internal or strictly government-related documentation.
APT27 made its direct contribution in 2016 by targeting energy sector and construction companies drones in EU [47] and effectively extending Operation Iron Tiger, which began in 2010 with similar but more advanced TTPs. Emissary Panda was also credited with the attack on the ICAO (International Civil Aviation Organization, a United Nations agency) headquarters in Montreal. [48][49][50] intercepting file uploads via Watering Holes. Two independent investigative bodies have confirmed that the entire ICAO network was at the disposal of the Chinese sponsored threat actor. The ICAO initially kept the attack secret from the public, but it was later revealed by the BBC through documents they obtained.
14th FYP released by the CCP, after all the efforts to modernize the domestic industry, the Chinese party has taken the decision to pursue the strategy of Dual Circulation [51][52][53]. The Chinese government has set itself the goal in these 5 years of boosting domestic demand while maintaining an openness to the global market that has always characterized the Eastern continent. These policies also arise due to the COVID-19 pandemic which has greatly limited international trade, testing the resistance of export-focused countries like China.
China has understood the hostile nature of the geopolitical scenario to which it must respond in order to maintain its economic position in league with the USA.
The 2018 sanctions adopted by Donald Trump [54] which, according to the US, were a response to intellectual property theft and other unfair trade practices by China) imposed economic barriers on China which started the trade war between the two countries that we are still witnessing today.
Removing dependence on exports allows for greater resilience to sudden changes beyond China’s control; this balancing act was considered crucial to the creation of a modern socialist society. The CCP launched this new FYP as a new path for China and its people toward economic and social prosperity.
“high quality development is a top priority in building a socialist modern country…achieving common prosperity…(by) implementing the dual circulation policy.”
Green energy continues to play a prominent role within this FYP, which seeks to reduce energy (and water) consumption per unit of GDP, along with a (prosperous) increase in waste recycling rates. A series of objectives is also introduced that can be summarized as “Digital China”, a further digitalization push that covers 5G architectures, digital payments, leveraging digital technologies for governance processes, and tools for society.
The key sectors identified, not very different from the previous ones, for the period 2021-2025 are:
In 2021, one of the most invasive actors not only of Chinese origin but of all APTs, Silk Typhoon (a.k.a Hafnium), entered the game with a campaign against exchange servers via 4 0-days that were not yet identified at the time[55][56]. This campaign was not focused on specific industrial sectors but on a more scattered victimology that was less adherent to the FYP than in previous years.
The affected sectors include defense, infectious disease research (including COVID-19), technology, NGOs, and academia. Analysis has revealed an impact on at least 30,000 organizations (with analyses pushing the number up to 250,000 victims [57]) in the US that were infected with web shell malware via vulnerabilities to allow attackers to access them. After initial contact, the actors gained access to emails and files that were subsequently exfiltrated via MEGA upload. The campaign first emerged in January 2021, with initial discoveries in March.
This actor’s access to the defense sector is interesting, with data containing information relevant to the development of the sector in Western countries and aligning with the CCP’s call for a greater emphasis on national security. This focus also has relevance for the digital sector, given that the Chinese government has identified cybersecurity (understood as both an offensive and defensive tool) as a key aspect for achieving a level of resilience to external threats. The key word is Technological Self-Reliance, which encompasses not only the traditional digital world but also biotechnology (repeatedly mentioned in previous FYPs) and the development of technologies without (or with minimal) support from foreign markets. Hafnium’s Exchange campaign covered a large portion of these sectors thanks to the use of zero-days, which allowed large-scale access to this specific victimology.
China is increasingly pushing for strategic and technological dominance, with offensive operations playing an important role in maintaining these gains.
APT41 has remained active throughout the past FYPs and has not been idle in the 2021-2025 timeframe either. Double Dragon has refined its technical capabilities and used them against the healthcare sector including pharmaceuticals [58][60]. The methods remain more or less unchanged with initial contact via spear-phishing, watering hole or supply-chain and the actors then managing to move within the networks. One of the recognized victims in the 2021-2022 period was the Animal Health Reporting Diagnostic System where an organization’s webapp was compromised (0-day), this webapp was used by the government for tracking infectious animal diseases [61]. This operation allowed (1) access to health data including PII and potential (2) access to government networks using this application. Private healthcare organizations were also impacted in this period.
Chinese threats have not been limited to traditional sectors and are increasingly targeting high-level figures and increasingly specific fields. An interesting case is the access attempts perpetrated by APT15 against SentinelOne between 2024 and 2025 [62]. Fortunately, the company successfully countered the threat, managing to avoid breaches or other types of impact on their networks. Through intermediate access to companies and government bodies, the attackers attempted to abuse SentinelOne resources in order to move within the company’s assets. Furthermore, attempts to compromise SentinelOne stakeholders who offered hardware logistics services have been identified, leading to the hypothesis of attempts to poison the supply chain. The motivation of this target is unclear, but among the various hypotheses are those of data theft to understand the functioning of software/technologies for digital defense, which would fall within the objectives of Chinese “resilience” in a cyber perspective.
This last example demonstrates how there are no limits for national/state actors (unlike ransomware which focuses on small/medium sized businesses) and that having virtually infinite resources they can afford to persist on single targets regardless of their size or nature.
All the examples cited above serve to highlight, with some factual examples, how the FYP provides guidelines not only for Chinese industries and the domestic market, but also for its APTs. Staying up-to-date on the current FYP provides additional insight into victimization that could be beneficial to Chinese threats impacting both the West and its neighbors in the East.
Obviously, there is not enough evidence to even hypothesize a list of key sectors, however, a preliminary study for the 15th FYP was carried out in December 2023 by the Chinese National Development and Reform Commission [63] (NDRC). The NDRC underlined that the Chinese socio-economic fabric still has numerous bottlenecks (such as those in energy with respect to the Carbon Neutrality required by the CCP) to be resolved in order to face the challenges of the next five years, requiring analysis and planning in advance compared to the past.
In addition to energy, the commission identified a need to further promote growth in the private sector, which has not yet fully balanced the domestic and foreign economies. Finally, according to the NDRC, northern China will need to have several projects allocated for the development of agricultural land supported by new technologies.
Xi Jinping has always declared that technological development must be the key to the country’s economic stability; the Trump administration’s tariffs could accelerate “new” sectors (AI, Quantum Computing) that can support other sectors that China is trying to make independent from foreign states (such as agriculture, medicine, and technology).
“it is essential to proactively assess how changes in the international landscape affect China and to adapt accordingly by adjusting and optimizing the country’s economic structure”
Xi Jinping [64]
Despite an independence plan driven primarily by a circular economy (not yet achieved), China confirms the need to maintain a role in the international market, the key to which is the healthcare sector.
China has a big problem with the older part of the population who have been subjected to various diseases, many of them chronic. This obstacle makes it difficult to care for and provide healthcare [65][66] to this part of the population and, in part, motivates all those campaigns in the health-pharmaceutical sector.
Furthermore, Xi Jinping himself has expressed interest in obtaining a strategic position for global health by incentivizing research and resources in this sector since the years of COVID-19 [67][68]. Focusing on this sector as a global trading commodity allows for a continuous flow from outside and at the same time an excellent soft-power factor for political resolutions. Let us remember that while the USA has stopped direct funds to the WHO (World Health Organization), China has instead donated further economic resources trying to mitigate the shortcomings on the US side [69].
This brief analysis, combined with the study of APT behavior, helps to hypothesize further interest in healthcare facilities that could be subject to Chinese APT campaigns. Unfortunately, the healthcare sector is not excellent in cybersecurity, and actors with espionage interests can exploit this shortcoming to their advantage, which is then translated (in the case of China) into economic and political gain.
In the previous section, we addressed only campaigns that showed signs of economic interest, deliberately ignoring all politically motivated operations. It’s difficult to draw a clear line between these two worlds, which, obviously, tend to blend together, making such a distinction merely theoretical. In this section, we’ll attempt to address campaigns with clear signs of political espionage, propaganda, disinformation, and influence.
Let’s start with China’s neighbors, specifically those with whom it shares the South China Sea, the ASEAN countries. As discussed in the previous section, control of these waters provides significant economic power, as well as being an important asset for the defense of the countries bordering this sea.
In this, China has had a dual approach (now typical of the Chinese political elite) in dealing with political disputes of this kind, on the one hand encouraging an approach of mutual trust [70] and on the other giving visibility to its privileged position compared to its neighbors [71]. The tensions in this blue territory have their origins in the very broad territorial declarations by China which was criticized for “salami-slicing” [72] by several international bodies.
“Salami-slicing” refers to a series of small actions, carried out over time, that gradually escalate in an attempt to appear less threatening than monolithic movements. The code of conduct discussed in the previous chapter was a promise to avoid escalation by prioritizing diplomacy.
China has no intention of stopping its efforts to obtain recognition for this rich commercial territory and has opted for a hybrid and “subtle” approach along with more “muscular” methods [73]. Also in the previous chapter, we can note a notable number of NGOs and political think-tanks targeted by various APTs. Since there is no (apparent) economic reason, it remains only to read them from a political perspective.
The “Confucius Institutes” are cultural associations outside of Chinese territories where cultural promotion takes place, as decided by the programs of the Chinese Ministry of Education. In these environments, exchange programs are sponsored for students and non-students, sharing the Chinese model and their cultural-political vision. These centers have created controversies due to the change in public perception on China’s political and economic influence, and the dispute over the shared sea with ASEAN countries included [74].
Some political think-tanks denounce the use of these cultural centers to meet China’s sole benefit in this political conflict [75][76].
As far as NGOs are concerned, however, they are not far from these controversies. China has been accused of illegal fishing activities in waters far from its maritime borders [77][78] and NGOs play a role in tracking these unregulated activities [79][80]. Without further information on the matter it is difficult to find further reasons but certainly the role of NGOs is not appreciated by the Chinese giant which has always expressed the need for a total absence of any external or non-governmental actor in those areas accusing NGOs of providing potential material for espionage on behalf of other countries [81].
Now that we have made sense (editor’s note: this could be incorrect and based on limited public sources) of these two unresolved victimologies, we can move on to some interesting cases where Chinese actors have been implicated in espionage and political influence operations.
Espionage campaigns by countries like Malaysia, Vietnam and the like have been present for at least 10 years [82] reconfirming a persistent interest in digital attacks trying to dance on the line set by the code of conduct signed in 2002 avoiding conventional military escalations.
In addition to the previously mentioned APTs, Billbug has marked the territory of Southeast Asia with attacks on critical infrastructures and government agencies [83][84] cowith increasingly damaging actions especially for the control of Internet traffic [85] n this area, creating damage to the national security of the victims in question. To date, Billbug does not seem to give up on stopping its actions in this region of the world.
The threats also go beyond simple APTs to include actual clusters [86] of actors in operations against South Asian governments with presence within the networks for several years before being discovered and removed.
The countries that must share the blue territory of Southeast Asia must not only coexist with Chinese-led APTs but also with propaganda being repurposed in various forms. Managing to control and/or manipulate public opinion by attempting to foster the CCP’s influence is accomplished in a subtle and much less direct manner than in other nations.
In mid-2024, a deepfake audio, accompanied by a series of images of Chinese ships, of Ferdinand Marcos Jr (president of the Philippines) circulated in the Philippine territory [87]. In this audio, the (fake) president performed a sort of call to arms against an unspecified nation. The name “China” was not present in the audio but the correlation could have been easily arrived at given the recent tensions (always in a “salami-slice” style) [88] on the part of China in the usual disputed waters.
The Philippines was not an isolated episode, as it is a fertile territory for Chinese disinformation [89][90]. The use of covert accounts and deepfakes have effectively put criticisms into the president’s mouth regarding the collaboration between the Philippines and the US, as well as pushing forward a narrative of an unstable and indecisive government [91][92]. Interference with the recent elections (May 12, 2025) have been attributed to actors linked to the Chinese government [93]. President Marcos has always been distinguished by his firm position against Chinese maritime expansionism, his collaboration with the US and the request for a global “break the silence” on the South Asian sea [93][94][95][96]. Despite Marcos‘ victory in the elections, his result (6 out of 12 seats in the Senate) was below expectations, contributed to by tensions with Vice President Sara Duterte.
Disinformation and espionage are the digital weapons used in this gradual escalation tactic, where China appears to be pushing its neighbors to their limits. It’s no surprise that this intense territorial dispute remains absent from global discussions, which are, among other things, focused on other conflicts that are much more heated and closer than the one in the Southeast Asia Sea.
China has understood that cyber and hybrid operations are only considered by a niche group and ignored by the rest of the public, making it possible to act with ever-increasing arrogance without attracting attention.
Disputes over Chinese territorial sovereignty extend beyond purely maritime matters, and the situation between Hong Kong and China is a prime example. In 1997, Hong Kong, a former British colony since 1842, was returned to China as a SAR (Special Administrative Region). This means that Hong Kong retains a certain degree of autonomy while China continues to maintain territorial and political sovereignty. Avoiding the more complex issues, Hong Kong maintains control over:
China, on the other hand, has control over (mainly) these aspects of Hong Kong:
Obviously we are faced with a complicated situation especially with the various protests made by the citizens of the SAR, the best known events are the Umbrella Movement (2014, request for greater transparency in democratic processes) [97] and the series of pro-democracy protests that started in 2019 which forced China to impose national security laws in 2020.
Here we are faced with a major thorn in the side of the dragon, the political dissidents. Jimmi Lai [98] can be considered the Hong Kong “Khodorkovsky” [99] Here we are faced with a major thorn in the side of the dragon, the political dissidents. Jimmi Lai [98] can be considered the Hong Kong “Khodorkovsky” [99], a pro-democracy businessman and politician who firmly opposed the CCP which led to arrests and several charges of fraud.
APT31 [100] (a.k.a Judgment Panda) as been known for its operations against dissidents and critics of the Chinese government. The group has been accused and sanctioned by the US for its operations against US and UK entities, politicians and NGOs [101]. Researchers have discovered a campaign of infiltration and espionage that lasted at least 10 years with a wide variety of victims, among which the campaigns attributed to operations in response to the 2019 Hong Kong protests stand out, impacting the various actors involved (including those belonging to the Umbrella Movement and Amnesty International). England is one of the states that strongly condemns the Chinese actions of repression on political and civil rights in Hong Kong [102][103] together with the US [104][105] and other European states [106][107] which have been the target of this series of operations. The information obtained through APT31 is not only used to track dissidents and critics but also to gain insight into the reactions of various countries following the introduction of the national security law and subsequent protests.
APT41 (DoubleDragon) also contributed by focusing on the Hong Kong government sector [108] s part of a larger operation called CuckooBees [109] between 2021 and 2022. Winnti’s presence in key Hong Kong entities allows for significant political control by monitoring the autonomy that Hong Kong enjoys in its SAR nature.
A large part of the activists and dissidents come from the university world which, thanks to Hong Kong’s autonomy in this regard, offers fertile ground for pro-democracy movements [110][111]. Obviously APT41 has also played an important role in monitoring these environments [112].
In addition to typical APT movements, large-scale DDoS campaigns have been carried out in an attempt to hinder the movements of various activists in Hong Kong [113][114]. n particular, the LIHKG (Reddit-like) forum was a victim, LIHKG was recognized as a key tool for organizing protests [115].
What are China’s policy statements regarding the situation with Hong Kong? Initially, China promised the “one country, two system” framework, which was formalized in the Sino-British Joint Declaration [116]. China’s promise included maintaining the existing economic system and ensuring social, legal, and economic autonomy. Despite the transfer of popular sovereignty to China, civil rights were to remain intact with no political coercion or influence. The framework is to be maintained until 2047 (50 years), after which China will have complete authority over Hong Kong and be able to fully integrate it into the Chinese nation.
The pact remained intact until Xi Jinping and his administration took over the CCP leadership by tightening Hong Kong’s opposition and emphasizing “the beginning of true democracy” [117] began when Hong Kong became Chinese territory. The promise made in ’97 began to falter after the protests of 2020 (25th anniversary of the transition from British colony to Chinese SAR) when Jinping declared that the political power of the SAR must belong to “patriots” and prevent it from “falling into chaos” [118]. Since 2020, APT activities have become more cumbersome and burdensome in addition to the draconian national security law imposed on Hong Kong and the limitation of protest movements.
The relationship between Hong Kong and China also extends to the UN and Western countries (in addition to NGOs, always targeted by Chinese digital actors) making the issue a subject of criticism towards the Eastern country. The use of APT is fundamental to diminish the degree of autonomy granted to Hong Kong offering China a strong advantage of repression and gradual change of identity [119] desired by Beijing.
Of course, one cannot discuss Chinese foreign policy without mentioning Taiwan. Even those least familiar with Eastern geopolitics are aware of the strong tensions between the two countries. Also known as Taiwan Province, the PRC formally considers it a Chinese province, though it has never controlled its territory. Furthermore, despite having its own army, currency, and government, it is not considered a sovereign state by the international community.
Taiwan has always fought to be recognized as an autonomous entity by the rest of the world’s nations, which remains an open and deeply felt debate both in China and on the island. The United States of America supports (de-facto) Taiwan’s democratic and autonomous system while maintaining diplomatic relations with China, recognizing the “One China” policy [120]. A game on a razor’s edge where all the nations involved measure their declarations and actions to discourage a kinetic military escalation.
Always according to the “One China” principle, the PRC cannot have formal relations with Taiwanese entities and recognizes a potential formal declaration of independence or foreign intervention in this regard as a red line for the use of military force. Obviously, given its geographical location, Taiwan is not exempt from Chinese aggression in the South China Sea which further complicates the foreign policy of other countries (such as the USA) in those areas [121]. Last but not least, the production and export of semiconductors thanks to a thriving industry which dominates the world market [122][123][124].
On the digital battleground, Taiwan presents a multifaceted scenario with a high density of activity by Chinese APTs, with reports of infiltration attempts and almost daily scans [125][126] in various Taiwanese sectors. Covering the entire history of the digital war between the two factions would require a separate article but we can focus on the current scenario (2020 onwards) to understand the CCP’s intentions regarding the situation with Taiwan.
Digital aggression on Taiwan is impacting several Taiwanese critical infrastructures with a new APT discovered in 2023 focused solely on Taiwanese territory, UAT-5918 [127][128]. he peculiarity of this APT is its motivations which distance themselves from traditional APTs (e.g.: data theft, espionage, sabotage), UAT-5918 infiltrates critical infrastructure networks to maintain long-term persistence while avoiding causing damage or getting noticed with more noisy actions. If the victim contains web applications, APT operators distribute webshells in ASP or PHP hiding them in web directories (SparrowDoor and CrowDoor).
Critical infrastructure included :
We can see how the compromises of these sectors impact civil society and not military apparatus. This is where Volt Typhoon comes into play. Among the various attacks, the most interesting for this section is the attack on critical infrastructure in Guam [129] (a US territory in Oceania).
Using the same tactics as UAT-5918, Volt Typhoon penetrated and achieved persistence (with access to OT networks) without further interacting with the systems. Not only Guam, but also other continental and non-continental US territories fell victim to Volt Typhoon. Obviously, the US did not release the exact territories, but we can note that most of these (14 in total) are present in Oceania.
Furthermore, in the advisory on the matter, the USA directly draws attention to Canada, Australia, the UK and New Zealand of the Volt Typhoon threat. All these states are stable partners with whom they have official diplomatic relations and despite there being no mutual defence pact, political, economic and cultural relations remain very strong [130][131][132][133][134].
In this case the affected infrastructures fall within the following sectors:
In particular, the transport and telecommunications sectors in those territories (as well as the continental ones) would be of fundamental importance for potential military logistics.
Another actor that has executed campaigns to gain persistence in critical networks is UAT-7237 (attributed to be a subgroup of UAT-5918) responsible for attacks against Taiwanese web infrastructures [135][136] with the same goal: long-term persistence on high-level targets (not named).
At first glance, it may be difficult to understand why maintaining persistence as an objective without stealing data or disrupting networks. China’s approach to Taiwanese civilian infrastructure and its allies’ logistics infrastructure is a tactic that can be intensified for potential military operations on Taiwanese soil.
Other countries (including the US [137]) have considered persistence in critical systems to be maintained and used in conjunction with more traditionally considered operations; China is simply adapting to modern times. Given China’s “red line” and its never having taken the possibility of military force on Taiwan off the table, having access to critical infrastructure would allow for swift and effective military campaigns.
Several analyses have led to the same conclusion that a hypothetical China-Taiwan clash could begin with an invasion (by the Chinese) with a high level of force preceded by a short warning [138][139]. If we add to this that access to critical infrastructures would allow confusion among the population and slow down hypothetical foreign reinforcements, the risk for Taiwan would increase, causing its defenses to collapse.
It’s not assumed that China is preparing to attack (persistence in critical infrastructure could have been used if China crossed the “red line”), nor that Taiwan’s partner states would deploy their forces to defend the island. What is being asserted is that if China wanted to invade Taiwan, it would have to do so as quickly as possible, considering all possible deployments of foreign forces, and that to achieve this, it is using its unmanned aerial vehicles (APTs) to maintain a time advantage through the combination of kinetic and digital forces.
In the case of Taiwan, APTs are not simple actors that impact the country’s industries and economy but real military as well as political adversaries. Taiwan’s cyber resilience is fundamental for its defense apparatus. All this is accompanied by operations that, although more “traditional”, remain numerous and effective. Through supply chain attacks, APT10 maintained persistence for (at least) 18 months in the Taiwanese financial sector [140] by obtaining information on brokers and investments in a period of economic growth. Taiwan’s leading sector (semiconductors) which allows it to have a geopolitical weight continues to be a subject of interest for Chinese attackers [141] and even the government research sector [142].
China is playing the role of the shark swimming around its victim, and it is no surprise that this same behavior extends from politics to the behavior of its APTs, which demonstrate a versatility that should not be underestimated.
In recent times, several Chinese attackers have appeared on the doorstep of Europe and other Western countries, sparking a debate on whether or not China should be considered an enemy for the Western world. The US suffered one of the largest cyber espionage operations in history to date [143] [144] carried out by Salt Typhoon. The same APT carried out a similar operation (but on a smaller scale, impacting smaller providers) in the Netherlands [145] [146].
In the Dutch case, no infiltrations were detected, but only the control of perimeter devices and routers belonging to different organizations without receiving any direct impact. Chinese actions did not go unnoticed and led a whole series of Western and non-Western countries to publish a Joint Cybersecurity Advisory through their national security organizations (including the Italian AISI and AISE) to counter Salt Typhoon and similar operations.
China’s peculiar interest in accessing Western telecommunications systems is difficult to explain, but it may be similar to the content covered in this article. As previously stated, China is aiming to become a “cyber superpower,” and the CCP has always sought to assert its territorial and political sovereignty with a muscular and provocative approach. Beyond the obvious implications of spying on citizens and politicians, cyber operations on Western soil convey a message of power and influence over the digital landscape as a political and military weapon.
Furthermore, given the strong connection between military tactics and those of Chinese APTs, access to telecommunications systems allows for the mapping of national networks, providing a significant advantage for future operations.
The latest events are not an isolated case and China has for some time shown interest in the European digital territory. In 2023 the European CERT warned organizations in all 27 states about the sustained presence of multiple Chinese APTs [147] responsible (mainly) for the theft of sensitive data/intellectual property. In the same year APT31 carried out a complex and sophisticated data theft campaign within air-gapped networks in Eastern Europe [148].
In 2024, Chinese actors carried out the majority of global APT campaigns (according to ESET [149]) and further expanded their efforts to the EU.
Apparently China initially maintained its interest in Eastern Europe, the key example being in 2022 where APT31 infiltrated the emails of the Foreign Minister of the Czech Republic [150]. n 2024-2025 this trend of intrusions and espionage has intensified on the government and industrial sectors with increasingly sophisticated and creative campaigns [151].
In Europe the main threats are APT31, APT27 and Mustang Panda which gradually continue to increase their offensive capabilities.
Despite the economic improvement, China continues to have a problem of overproduction in its companies (especially state-owned ones) [152] [153] and Europe presents a safety valve thanks to its heterogeneous and large market.
The CCP must target Europe as a fixed trade hub, maintaining stable trade flows. Industrial espionage on the one hand and political espionage on the other allows for access to inside knowledge within Europe that can be used for lobbying and foreign policy purposes. The tariffs imposed by the Trump administration could assist the Chinese giant in the economic conflict in Europe.
To achieve its goals, China must prevent Europe from speaking with “one voice” and exploit internal rifts between the various states to advance its bilateral agenda. Access to virtually all communications in Europe would allow it to anticipate potential disagreements between two or more European states and exploit them to its advantage.
The Huawei scandal in Europe (which forced the MEP to grant immunity to 4 parliamentarians accused of corruption [154][155]) demonstrates how China wants to penetrate deeply starting from the very top. Today China is facing opposition from Europe [156] and its systemic support for Russia in a time of conflict is certainly not helping to create harmony between the two worlds [157][158].
By marking Europe’s digital territory, China is positioning itself as a cyber threat interested in communications between different states in an effort to effectively address China’s bilateral trade, which requires an import market like Europe’s to sustain its economy.
The capabilities of Chinese actors can undermine Europe’s internal economic processes, creating an industrial as well as political disadvantage. In a situation of uncertainty about Europe’s future, the deployment of digital forces could allow them to penetrate the European political and economic fabric, with consequences that may not necessarily be consistent with the EU’s interests.
Thanks to the above content, we’ve learned about the extreme flexibility and operational capabilities of Chinese actors, ranging from expertise to data theft in extremely heterogeneous environments. The relationship between these APTs and the world of ransomware is interesting, proving to be an excellent tool for concealing Chinese activities.
Several Chinese APTs have used ransomware families to encrypt their victims. After obtaining data and files of interest, the group would launch this type of malware as a “smoke screen”, complicating the incident response and forensic phases. Furthermore, their “low-and-slow” approach to espionage is now clear, with persistence on victims extending for months and even years after initial entry.
It may seem contradictory, but the use of noisy malware like ransomware in state-sponsored campaigns is motivated by OPSEC. If we consider the traces left by attackers as dots to be connected to create a pattern, there are several ways to prevent the blue team from reconstructing their actions or identities :
Point 3 is crucial to understanding the use of ransomware in espionage activities. Once the main objective (e.g., espionage) has been achieved, the use of ransomware allows for two advantages: (1) it tampers with evidence of espionage operations and (2) it forces the victim to perform operations to safeguard and continue business processes by creating confusion as to which information has been stolen.
Furthermore, using the ransomware brand as a “mask” is an excellent way to confuse the victim as to the true impact on their organization. The pressure resulting from ransomware forces victims to restore network functionality, overshadowing the reconstruction of the attacks.
Chinese APTs have understood that it is better to be loud but pass as a “simple” actor motivated by profit than to be completely stealthy and risk misleading the victim into realizing their true intentions.
APT41, now a cornerstone of the Chinese scenario, in its first interventions in the video game industry used a previously undetected ransomware (presumably created by APT41 itself) asking for a small ransom compared to the global trend [159]. This tactic has remained in DoubleDragon’s operational portfolio even in more recent events [160][161].
Since 2021, APT27 has also been involved in ransomware operations [162] as part of larger cyberespionage operations lasting even years before encryption was used.
The real spearhead of this masking technique is undoubtedly ChamelGang (a.k.a CamoFei) [163][164] which focused on critical infrastructures since its discovery in 2019, ChamelGang’s victims include both public and private sectors with sectors similar to those of the FYP in place. Over time CamoFei has brought greater attention to the healthcare sector without sparing the use of ransomware after espionage operations [165][166].
Beijing is setting a new standard in digital warfare and espionage by incorporating digital crime tools into operations aligned with state interests [167][168][169]. This methodology teaches us to have a more subtle reading of ransomware attacks by demonstrating how criminal profit tools can be supported by domestic actors.
Summing up the different aspects of Chinese digital threats reveals a prolific and sophisticated offensive dimension at an industrial level. Russia has exploited its internal criminal scene to recruit actors to exploit for national motivations [170][171], gli APT iraniani e sono legati principalmente ad apparati militari e di sicurezza come IRGC (Islamic Revolutionary Guard Corps) [172][173] as well as the North Korean ones [174][175].
China, on the other hand, manages to distinguish itself also in the taxonomy of its APTs and its members. As an initial example, we can take the case of I-SOON[176]. I-SOON is a Chinese (private) company that had strong relations with the Chinese government to which it sold a good part of its products and services.
I-SOON received a leak (February 16, 2024) of a long series of documents, chats and internal information that revealed the activities offered by the company [177], including APT for hire services [178]. In particular, the analysis of the contents of the leak showed how I-SOON had advertised software and malware used by APT41 in previous campaigns and that it had a legal dispute with another company called Chengdu 404 [179]. Some employees of Chengdu 404 have been identified as APT41 operators by the FBI [180][181] who underlines how the operations of these employees were carried out during the hiring period [182].
In addition to the other services of I-SOON and Chengdu404 (which included surveillance and monitoring of Chinese social networks), it is clear that these two companies, both with state contracts, were part of a network that made up the entire apparatus that we identify as APT41.
Before adding further examples of companies that have offered their services, effectively becoming digital weapons for the Chinese government, let’s draw our attention to some analyses carried out by various analysts regarding Chinese APT operations from some sources cited above.
Even more interesting is the graph below:
The operating hours of several APTs coincide with those typical of Chinese workers, with regards to purely for-profit operations [183] (advertised in various forums) instead there is a shift towards extra-curricular night hours.
The time factor should not be underestimated and helps us to understand the shadow behind Chinese APTs by showing that they are not “out-of-the-box” individuals, but rather integral parts of the country’s technical-industrial fabric. As we discussed in the first section, the Chinese government is present in various forms within companies, particularly those identified in key sectors.
This ecosystem differs significantly from other states such as Russia, Iran, or North Korea, creating an extremely fertile ground not only for new players but also for operational capabilities supported by strong industrial R&D. Corporate capabilities are combined with national objectives, creating robust and persistent threats.
Other companies such as Wuhan XRZ (attributed to APT31 [184]) and Integrity Tech (Flax typhoon [185]) follow the same operational pattern as the previous examples, it is no surprise that China’s offensive capabilities have grown in tandem with its economy and industrialization.
The 0-day vulnerability research industry is closely linked to attackers hired by the Chinese government [186], hinese APTs are renowned for using 0-day vulnerabilities and they are aided by the government itself which forces researchers to report this type of vulnerability only to the Chinese state [187].
The origins of this dynamism in the Chinese cybersecurity environment have roots in the 1990s with the hacktivist movement “Red Hackers” (also called “Honkers”) [188][189] who created environments for the growth of talent in the sector. Subsequently, the change in the economic plan and the merger between public and private sectors desired by Xi Jinping allowed these individuals to be professionalized for the creation of an industry that then generated the APTs we have discussed.
The Chinese economy plays a key role in its offensive capabilities and Xi Jinping’s policies are moving towards independence oriented towards domestic recirculation to make itself resilient towards the outside, protecting its industries and industrial growth. China is also protecting its APTs which are now essential for both military and intelligence purposes.
China is currently focusing on the growth of infosec talents by discouraging them from participating in foreign events [190] and by creating domestic realities for this type of target [191][192]. The prospects are not very clear, given the opacity towards the outside, but clearly China wants (and in a certain sense, must) maintain its current position in the digital field in order to maintain its economic and political status in the future.
In 2017, Vladimir Putin and Xi Jinping met in Kazakhstan, with cameras and press awaiting the meeting between the two leaders. The Russian president, along with his diplomatic staff, appeared before a lone CCP secretary due to a logistical error that delayed the arrival of the Chinese delegation at the table. To break the awkwardness in the room, Putin called his Chinese ally “один воeц” (Russian for “lone warrior”), causing a knowing laugh between the two [193].
This scene is an excellent analogy to the Chinese behavior not only on the international political scene but also on the cultural one which blocks the capacity for understanding, and therefore communication, of this nation with ancient principles but with recent developments towards modernity compared to the rest of Asia [194].
Xi Jinping has not only changed the game on the political, economic or social level but also on the cultural vision that includes in the CCP a mission of “safeguarding civilization” from Western interference [195].The CCP General Secretary has described a loss of cultural and ideological values in the West along with a deindustrialization in geographical sections such as Europe and the USA.
The turmoil that has occurred in the West has allowed China to perpetuate its economic and influence strategy while maintaining a closure and independence that has made it (apparently) resilient to the consequences of recent geopolitical clashes.
Understanding the nature and origins of Chinese APT operations allows us to gain insight into this nation’s true intentions, which we cannot comprehend (or be understood) beyond political declarations. China’s digital power is being forcefully projected beyond its borders only by closing these borders economically and cyber-wise, creating a fertile domestic environment.
The dragon’s economic improvement was only possible thanks to the obtaining of intellectual property (effectively stolen) through its APTs, which were also fundamental in understanding the West’s weaknesses by compromising telecommunications services.
The fusion of public and private sectors, digital crime, and domestic actors, in addition to kinetic and digital, has proven a success for China. However, it is not without its weaknesses. Despite its industrial growth, domestic demand remains insufficient, and without export opportunities to markets like Europe, it risks undermining China’s stability.
Jinping’s circular economy plan is becoming increasingly complicated because the closures he imposed are recurring at a time of internal imbalance. The increase in Chinese APT activities in Europe should be understood as an act of scrutiny and understanding to identify the right opening. These actions will not directly impact China’s military or industrial sectors, but rather its foreign policy, which must be effective in this time of need.
The contribution of the Chinese government’s digital attackers demonstrates how, in cybersecurity, technical expertise must be combined with environmental circumstances to understand, predict, and counter future threats.
If the infosec community must interface with the economic-political community, the reverse can also help us understand the direction of other countries that, like China, remain distant politically and culturally. Only time will tell whether Xi Jinping’s approach and his cyber arsenal will be able to align with the CCP’s stated objectives and overcome current obstacles.
China has decided on its course, and its interest in external espionage, with its APTs serving as its backbone, is clear. To date, neither politics nor the economy are immune to the digital landscape, and are therefore exposed to its threats. Protection from such attacks requires, first and foremost, cyber culture and an understanding of security (both national and otherwise). While many actors are simply driven by profit, others seek to undermine the economy, political structure, and society in which we live.
