Chinese cyber espionage growing across all industry sectors

Security researchers are warning of a significant global rise in Chinese cyber espionage activity against organizations in every industry.

Over the course of 2024, researchers from security firm CrowdStrike observed a 150% average increase in intrusions by Chinese threat actors worldwide, with some sectors experiencing two- to three-fold surges. Researchers at the firm also identified seven new Chinese-origin cyber espionage groups in 2024, many of which exhibited specialized targeting and toolsets.

“Throughout 2024, China-nexus adversaries demonstrated increasingly bold targeting, stealthier tactics, and more specialized operations,” CrowdStrike stated in its 2025 Global Threat Report. “Their underlying motivation is likely China’s desire for regional influence, particularly its goal of eventual reunification with Taiwan, which could ultimately bring China into conflict with the United States.”

The report also highlighted that Chinese groups continue to share malware tools — a long-standing hallmark of Chinese cyber espionage — with the KEYPLUG backdoor serving as a prime example. China-linked actors also displayed a growing focus on cloud environments for data collection and an improved resilience to disruptive actions against their operations by researchers, law enforcement, and government agencies.

A sign of China’s maturing cyber capabilities

CrowdStrike attributes China’s increasingly dominant position in global cyber espionage to a decade of strategic investments, following General Secretary Xi Jinping’s 2014 call for the country to become a cyber power.

These efforts include investments in university programs to cultivate a highly skilled cyber workforce; private sector contracts to provide People’s Liberation Army (PLA), Ministry of Public Security (MPS), and Ministry of State Security (MSS) cyber units with skilled operators and infrastructure; running domestic bug hunting and capture-the-flag competitions to fuel exploit development programs; and industry networking events where PLA and MSS cyber operators obtain unique tools and tradecraft.

“It is highly likely that these investments have led to greater operational security (OPSEC) and specialization in China-linked intrusion operations,” the researchers noted. “Adversaries are pre-positioning themselves within critical networks, supported by a broader ecosystem that includes shared tooling, training pipelines, and sophisticated malware development.”

New cyber operations in key sectors

Historically, Chinese cyber espionage groups have predominantly targeted organizations from the government, technology, and telecommunications sectors and that continued in 2024. Government orgs were a target for China-linked threat actors in virtually all regions of the world, and Salt Typhoon, a cyber unit tied to China’s MSS, made headlines in recent months after compromising major telecom and ISP networks in the US, with this type of targeting also common in Asia and Africa.

But it was financial services, media, manufacturing, industrials, and engineering that saw the biggest surges in China-linked intrusions last year — 200-300% growth rates compared to 2023. Overall, the number of intrusions and new Chinese cyber espionage groups grew across the board.

Three Chinese groups that CrowdStrike tracks as Liminal Panda, Locksmith Panda, and Operator Panda seem specialized in targeting and compromising telecommunications entities.

Liminal Panda in particular has demonstrated extensive knowledge of telecom networks and how to exploit interconnections between providers to move and initiate intrusions across various regions. Locksmith Panda seems more focused on Indonesia, Taiwan, and Hong Kong, with targeting that is more broad, extending to technology, gaming, and energy companies, as well as democracy activists.

Operator Panda, which seems to be CrowdStrike’s name for the group known as Salt Typhoon, specializes in exploiting internet-facing appliances such as Cisco switches. In addition to telecom operators, the group has also targeted professional services firms.

Vault Panda and Envoy Panda are two groups that target government entities, but whereas Vault Panda is broad in its targeting, also going after financial services, gambling, technology, academic, and defense organizations, Envoy Panda seems focused on diplomatic entities, especially from Africa and the Middle East.

Vault Panda has used many malware families shared by Chinese threat actors, including KEYPLUG, Winnti, Melofee, HelloBot, and ShadowPad. The group regularly exploits vulnerabilities in public-facing web applications to gain initial access. Meanwhile Envoy Panda is known for its use of Turian, PlugX, and Smanager. PlugX, aka Korplug, is one of the oldest remote access trojans used by China-linked cyber espionage groups, with original versions dating back to 2008.

Another commonly shared resource between Chinese threat groups are so-called ORB (Operational Relay Box) networks that consist of thousands of compromised IoT devices and virtual private servers that are used to route traffic and conceal espionage operations. These networks are similar to botnets, but are primarily used as proxies, and are often administered by independent contractors that are based in China. They complicate attribution due to the often short-lived nature of the IP addresses of the nodes being used.

“Despite law enforcement attempts to disrupt the ORB networks, China-nexus adversaries continue to use these resources as a key part of their operations,” the CrowdStrike researchers wrote.

Better identity management and adversary-centric patching

Some of most common intrusion methods last year were compromised credentials, misconfigurations, and unpatched vulnerabilities in public-facing assets, whether web applications or network appliances.

Simply relying on multi-factor authentication is not enough to prevent complex breaches that rely on social engineering and impersonation to exploit existing relationships. Organizations need to use conditional access policies, regularly review account activity, and monitor for signs of unusual user behavior that could indicate a compromised account.

Furthermore, attackers are quick to adopt new techniques and proof-of-concept exploits from technical blogs and combine them in multi-stage attack chains. Vulnerabilities in internet-facing systems should be prioritized, as well as flaws that have publicly known exploits or are known to be actively exploited by threat groups targeting your industry, even if they don’t have the highest severity scores.

“Monitoring for subtle signs of exploit chaining, such as unexpected crashes or privilege escalation attempts, can help detect attacks before they progress,” the researchers wrote.