“There are 2 types of companies in the US, Those that have been infiltrated by the Chinese, and those that don’t know it yet.”
The Chinese government dedicates significant resources for intelligence operations including gathering information on foreign agencies, institutions, and individuals. Chinese-affiliated hackers have infiltrated the Department of Commerce, Department of Defense, State Department, and White House networks. These threat actors have also stolen the heath data from millions of Americans. In 2023, Chinese-affiliated hackers were detected using home routers and small business routers to mask attacks on US critical infrastructure.
Chinese-sponsored actors are the most active and persistent cyber threat to the US and is the most powerful cyber actor in the region. The PRC Ministry of Public Security, and the Ministry of State Security have directed or financed hackers to penetrate high-value targets. Some of the victims of these attacks have included US-based critics, other Asian governments and dissidents of the People’s Republic of China (PRC). The PRC uses extensive networks of private Chinese companies and contractors for cyberoperations, as Chinese companies are legally required to comply with government intelligence agencies. Stolen personal data from US citizens can be used to train artificial intelligence models that further the goals of the Chinese government, or it can be sold through Chinese data brokers. Identifying and stopping these operations is critical to the safety and security of US-based companies.
Here is a small, non-exhaustive list with brief descriptions of some prominent China-nexus threat actors.
Contents
APT1
APT1 is a Chinese hacking group believed to be the 2nd Bureau of the People’s Liberation Army (PLA) GSD 3rd Department. They also operate under the military unit cover designation Unit 61398. Their purview includes military reconnaissance, electronic warfare, and media propaganda with the main goals being technology transfer and IP theft. In 2012, Chinese-affiliated hackers from APT1 exfiltrated false documentation files from a honeypot system with malware that came to be known as Shady Rat. They used the information gained from the Shady Rat malware to infiltrate adjacent systems and spread to other computers and networks. Shady Rat stole information from governments, institutions, companies, and defense contractors. APT1 did not attempt to mask their usage of Chinese internet providers and exfiltrated the data unencrypted using the File Transfer Protocol (FTP) back to their Chinese servers. One of the first victims of the Shady Rat virus was Lockheed Martin, where information on the F-35 jet fighter was stolen.
APT31
APT31 is part of a cyber espionage program run by the Hubei State Security department. This group attacked industrial organizations in South Korea to establish channels for data leaks, and install second-stage malware. They also targeted SoHo routers to use as proxies or hop-off points between their Command and Control (C2) servers and their target networks. APT31 sent malicious phishing emails with tracking links that would allow the target’s location, IP address, networks schematics, and specific devices to be transmitted to a server. These malicious tracking links were sent to government officials around the world who expressed criticism of the PRC government. APT31 uses ORB networks for their more recent operations.
Mustang Panda
This threat actor infects targets with PlugX, which is a type of malware widely-used by suspected Chinese threat actors. They have conducted attack campaigns against the UK, Sweden, France, Czech Republic, Slovakia, Hungary, and Ukraine.
APT10
APT10 is believed to collect intelligence data to further Chinese national security goals and acted in association with the Tianjin State Security Bureau of the Chinese Ministry of State Security (MSS). They targeted the United States, Japan, and other European countries with Spearphishing attacks. They use 0-day vulnerabilities, publicly-available security tools, DLL side-loading and other “Living-Off-The-Land” (LOTL) persistence techniques. In 2018, the US District Court of New York indicted members of this group for conspiracy to commit wire fraud.
APT10 targets organizations in the aviation, satellite, maritime, banking/finance, telecom, consumer electronics, IT , healthcare, and government industries. They also targeted Managed Service Providers (MSPs) to to steal client data from clients in Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the UK, and the United States. Other targets include Japanese Organizations, the NASA Goddard Spaceflight Center, and the Jet Propulsion Laboratory.
UNC3886
UNC3886 is a threat actor based out of China. They are involved in attacks on defense, technology, and telecommunications industries. This group has advanced knowledge of the system internals of routers and developed backdoors for Juniper brand routers. UNC3886 uses the TinyShell malware to stage campaigns that threaten global critical networking infrastructure. They primarily target defense industrial base, technology, and telecom organizations in the US and Asia. They focus on stealth and some of their attacks have been limited to Fortinet devices and VMware virtualization technologies. UNC3886 targeted Fortinet devices and other type of virtualizatoin technologies from companies such as VMware. In one attack they were able to install customized backdoors on the VMWare ESXi hypervisors.
APT18
This threat actor group is likely affiliated with the Chinese Navy. They target human rights groups, governments, medical, pharma, biotech, aerospace, defense, construction, education, engineering, transportation, and IT industries. They are believed to be responsible for a 2014 theft of 4.5 million social security numbers and Personally Identifiable Information (PII).
APT22
This threat actor has been operating since 2014. They typically target political entities, health sector, and Chinese dissidents. One of their techniques is to identify public-facing web servers and upload webshells for access.
Space Pirates
The Space Pirates group is a Chinese-affiliated hacking group active since 2017 that targets the aerospace industries of Russia, Georgia, and Mongolia. They use pinpoint attacks with large reconnaissance investigations to determine the network infrastructure and security systems used by their targets. They build their C2 servers using GitHub which allows for remote updates to be pushed without re-deploying malware. They also use malware common to Chinese-linked hacking groups such as: PlugX, PoisonIvy, ReVBShell, DeedRat , and Shadowpad. They are likely connected to other APT groups including Mustang Panda, APT41, TA28, and APT27
Salt Typhoon
Salt Typhoon is Chinese cyber group that performed a cybersecurity attack which compromised the broadband networks of at least 9 US telecommunication companies including T-Mobile, AT&T, Verizon, Charter, Windstream, Consolidated Communications, and Lumen Technologies, stealing cellular metadata for a large number of Americans for surveillance purposes. It was the worst telecom hack in American history. This group has been operating in US networks for at least 2 years, and likely had access since 2020. The breach allowed the hackers to geolocate millions of individuals and record phone calls, mostly in the Washington DC area. Salt Typhoon compromised the surveillance systems that law enforcement uses for criminal investigations, exposing which Chinese operations were being monitored by the FBI and exposing other court-ordered law enforcement operations.
This attack also targeted candidates in the 2024 presidential election, and prominent US government officials including the text messages and phone calls of Donald Trump and JD Vance. This attack may have been able to spread to different networks by exploiting trusting relationships between service providers, which operate a “Walled Garden” security model. The Salt Typhoon attack used a Demodex rootkit, Derusbi DLL, Scandi, and Underaxe to reconfigure Cisco routers to exfiltrate data. After this attack, the FCC proposed a ruling that telecom carriers are legally obligated to take steps to secure their network from hackers. The Salt Typhoon hacking group is also known by: Ghost Emperor, Famous Sparrow, and UNC2286.
APT41
APT41 is a Chinese-linked hacking group that has been active since 2014. They are also known as Double Dragon or Wicked Panda. APT41 extracted hundreds of gigabytes of intellectual property in a years-long industrial espionage theft. These materials included blueprints, and formulas for defense companies, manufacturing organizations, energy, and pharmaceutical companies throughout North America, Europe, and East Asia. They produce supply-chain compromises and frequently use compromised digital certificates to gain access to target systems.
APT41 supports their activities with financially-motivated targeting of the video game industry. APT41 actors target individuals using phishing attacks to get them to reveal their credentials and SQL injections for initial access. Individual members from APT41 were traced to Chengdu, China where of the threat actors worked on malware development with the author of PlugX, a piece of malware that is common among China-linked threat actors. Their LEAD subgroup used the Shadowpad malware to attack financial, electronic providers, universities, telecommunications, NGOs, and government entities. APT41’s theft of intellectual property has aligned with China’s 5 year plan, solidifying the link to the emerging global cyber superpower.
One of their operations “Operation Shadowhammer” infected at least 60,000 computers, with the maximum estimate of more than 1,000,000. This attack used a compromised updates to spread sophisticated malware to users in Russia, Germany, France, and Italy. If the computers had a MAC address that matched a “Hit list” then the malware would advance to its next stage of installing a remote backdoor. If not, then the malware would simply sit dormant and not send out any messages, or perform any actions.
Volt Typhoon
Volt typhoon is a China-linked threat actor discovered in 2023, but was likely active since mid 2021. Volt Typhoon infected communications, transportation systems, telecom, energy, and wastewater systems. This attack used “Living off the Land” techniques instead of traditional malware. The objective of Volt Typhoon actors was to positioning themselves on IT networks to enable lateral movement to operational technology assets that disrupt functions.
The Volt typhoon organization gained access by exploiting zero-day vulnerabilities in public-facing network appliances including routers, VPNs, and Firewalls. After gaining initial access, the actors maintained persistence with minimal activity. They would also re-target the same organizations over time spans of several years. A government contract entity likely built the KV botnet used in the operation and should be identified as separate from the actors that are performing the attacks. This botnet, shut down in 2023 used compromised small home and office (SOHO) routers to route traffic.
Volt Typhoon poses national security-level issues for their victims as it targets critical infrastructure in over 200 US entities. Volt Typhoon targeted energy grid operations and spatial layouts in a Massachusetts energy company for 300 days. The threat actors were very stealthy as they were not actively on the infected system. Instead, every couple months they double checked to see that they still had access to the victim systems. Volt Typhoon was one of the most sophisticated operations by Chinese-linked hackers and could pave the way for attacks that disrupt US critical infrastructure.
UNC4841
This is a suspected Chinese cyber espionage threat actor. They targeted public and private organizations with a Barracuda email security zero-day. They have targeted information of political or strategic interest for China. They also targeted email domains, users from the ASEAN member nations ministries of foreign affairs, and academic research organizations in Taiwan and Hong Kong. Their techniques used malicious TAR files to execute arbitrary commands with elevated privileges and establish a reverse shell. They use legitimate self-signed SSL certificates or stolen certificates to mask the C2 traffic.
Sources
- [1] “Threat Trend Report on APT Groups.” AhnLab Security Emergency Response Center, Aug. 08, 2023. [Online]. Available: https://asec.ahnlab.com/wp-content/uploads/2023/09/ATIP_2023_Jul_Threat-Trend-Report-on-APT-Groups.pdf
- [2] “Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection,” Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/chinese-espionage-tactics
- https://www.hhs.gov/sites/default/files/cobalt-strike-tlpwhite.pdf
- [3] “Mic Drop: Gen. Charlie ‘Tuna’ Moore: Cyber Wars Don’t Wait for Consensus.” [Online]. Available: https://podcasts.apple.com/bf/podcast/mic-drop-gen-charlie-tuna-moore-cyber-wars-dont-wait/id1225077306?i=1000705796426
- [4] A. Segal, “China Has Raised the Cyber Stakes,” Foreign Affairs, Jan. 21, 2025. [Online]. Available: https://www.foreignaffairs.com/united-states/china-has-raised-cyber-stakes
- [5] “Cyber Threat Snapshot.” Committee on Homeland Security, Nov. 12, 2024. [Online]. Available: https://homeland.house.gov/wp-content/uploads/2024/11/11.12.24-Cyber-Threat-Snapshot.pdf
- [6] “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure,” CISA, Feb. 2024. [Online]. Available: https://www.cisa.gov/sites/default/files/2024-02/aa24-038a-jcsa-prc-state-sponsored-actors-compromise-us-critical-infrastructure_1.pdf
- [7] “Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection,” Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/chinese-espionage-tactics
- [8] “Volt Typhoon comes for Littleton.” [Online]. Available: https://podcasts.apple.com/la/podcast/volt-typhoon-comes-for-littleton/id1225077306?i=1000705372855