Eighteen months of Chinese cyber espionage

To understand current Chinese cyber espionage activity, we compiled and analyzed public reports that described cyber espionage operations attributed to China in the past 18 months.  Obviously this approach will only reveal the tip of the iceberg, so any conclusions we draw should be considered as mere hints on China’s cyber espionage strategy and goals.

Timeline of China-linked cyber espionage

We’ve summarized cyber espionage operations attributed to China in the timeline below. We could provide a date or duration for most events except for operation CloudHopper (APT10/MenuPass‘ campaign against managed service providers) and for the Thrip group. At least ten TTP groups were observed in 2017. The two most active groups during this time frame were APT17/Axiom/Winnti umbrella and APT10/menuPass. There were also a few cases where we could not distinguish between Leviathan or APT27/Emissary Panda TTPs.

The main operation theaters

The timeline really illustrates that Chinese cyber espionage, taken as a whole, is very active worldwide. Nonethess, some countries and activity sectors stand out as being more persistently targeted. These are:

  • the US, South Korean and Japanese defense industries;
  • telecommunication and high-tech companies especially in the US, Asia and Russia;
  • Japanese organizations;
  • companies delivering IT services or IT products worldwide;
  • and finally, US and Asian political organizations, independent Chinese media and “the five poisons”.

India is curiously missing from the list. In our opinion, there are indeed some reasons to expect some espionage activity against India: last year a territorial dispute occurred between these two nations in the Doklam region, and the fact that China’ Belt and Road Initiative is taking life along the Indian Ocean may prompt a reaction by India which China would probably like to anticipate.

Are Chinese groups bolder ?

The technicity of Chinese attacks has not changed a lot and they still rely on tried-and-tested tactics such as spear phishing, exploits, supply chain attacks, use of stolen code-signing certificates and mixing custom malware, open source tools and “living off the land” techniques. Their arsenal has however been significantly renewed since late 2015 when US and China agreed on actions to limit espionage.

What appears to be a significant change of strategy is that recent supply chain attacks had a much broader reach than a few years ago. China had so far a record of targeting security providers to circumvent the specific security solutions implemented in their targets’ networks (for instance, the RSA and Bit9 hacks). Indeed, it appears that since at least 2016, multiple IT companies have been compromised, such as Piriform, NetSarang and unidentified managed-services providers. These companies’ services or products were leveraged to access the networks of various organizations of interest. This seems like a broad and opportunistic approach. Moreover, Chinese hackers are so bold that they are not afraid to distribute compromised products to millions of victims worldwide in order to reach only a few targets.


Globally, it does seem that the theft of intellectual property affecting US companies has decreased, but organizations involved in the defense industry are still being attacked (they were not part of the US-China agreement). Also, according to FireEye’s latest M-Trends report, US business information and intellectual property such as artificial intelligence or advanced batteries could be preyed upon by groups linked to China. Japanese, South Korean and Taiwanese companies on the other hand remain continuously under attack, as well as political organizations that focus on or interact with China.

Recent Posts



SEKOIA Team Written by:

Comments are closed.