How Have Chinese APT Groups Evolved Over the Last Five Years?

The landscape of cyber threats has seen significant changes over the past five years, particularly with the activity of Chinese advanced persistent threat (APT) groups. These state-sponsored actors have shifted their tactics, techniques, and procedures (TTPs) to become more sophisticated and targeted in their operations. Based on a comprehensive study by cybersecurity firm Sophos, which tracked and attributed hacker activity from December 2018 to November 2023, this article delves into the evolution of these groups, highlighting their increased precision and stealth.

Initially, Chinese APT groups were known for their broad, indiscriminate attacks, often targeting a wide range of entities with the primary goal of gathering as much data as possible. Over the past five years, however, there has been a noticeable shift towards more stealthy operations. These groups now focus on high-value targets and critical infrastructure organizations, employing precision in their attacks to maximize impact and minimize detection risk. This transition marks a distinctive change in the threat landscape and underscores the evolving sophistication of Chinese cyber operations.

From Widespread Attacks to Stealthy Operations

In December 2018, Chinese hackers targeted Cyberoam, an India-based Sophos subsidiary, marking one of their early stealth operations. The attackers implanted a remote access trojan (RAT) on a low-privilege computer within the office, aiming to gather intelligence and develop malware targeting network devices. This initial incident highlighted the use of sophisticated tools like the Cloud Snooper rootkit and showcased innovative methods to exploit misconfigured Amazon Web Services (AWS) Systems Manager Agents. Such incidents laid the groundwork for future operations that would become increasingly focused and methodical.

Between early 2020 and much of 2022, Sophos and its collaborators attributed multiple noisy, indiscriminate attack campaigns to educational establishments in Chengdu, China. These campaigns targeted publicly reachable network appliances by exploiting previously unknown vulnerabilities, which indicated a broad-based approach typical of earlier Chinese APT activity. The attackers focused on wide-area network (WAN)-facing services, retrieving data from compromised devices and inserting payloads into device firmware. This period of noisy attacks allowed the groups to gather valuable data and refine their techniques before transitioning to more targeted operations.

The Role of Educational Establishments

Research entities such as Sichuan Silence Information Technology and the University of Electronic Science and Technology of China played a significant role during this period. These institutions conducted extensive vulnerability research, discovering and documenting flaws that could be exploited in network appliances and other critical devices. The findings were shared with associated vendors and potentially with the Chinese government, facilitating the development of more advanced attack methods. This collaboration between educational institutions and state-sponsored cyber actors underscores the organized and resourceful nature of these threats.

The involvement of academic institutions in vulnerability research highlights the complex ecosystem supporting Chinese APT groups. These establishments not only provide technical expertise but also act as a liaison between civilian researchers and government agencies. By leveraging the discoveries made by these researchers, Chinese APT groups have been able to stay ahead of the curve, developing new methods to compromise high-profile targets and refine their operational security practices.

Shift to Highly Targeted Attacks

By mid-2022, a significant shift was observed in the focus and methodology of Chinese APT groups. The threat actors adapted their strategy to launch highly targeted attacks against government agencies, critical infrastructure management groups, research and development organizations, and healthcare providers, primarily in the Indo-Pacific region. These sophisticated operations employed a variety of advanced Tactics, Techniques, and Procedures (TTPs), favoring manual execution of commands and deploying malware on compromised devices to maintain a higher level of control and stealth.

The attackers’ preference for manual methods over automated ones allowed them to operate with greater precision and discretion, making immediate detection increasingly challenging. Custom, fully-featured userland rootkits were developed for persistent and undetectable access to compromised systems. This level of sophistication marks a departure from the previously observed noisy campaigns, indicating a strategic pivot towards more impactful and covert actions. The transition to highly targeted attacks suggests a maturation in the operational capabilities and intentions of Chinese APT groups.

Advanced Operational Security Measures

Sophos noted that the most common initial access vectors for these sophisticated attacks were CVE exploitation and instances of access using valid administrative credentials from the LAN side of the device. The attackers excelled in hiding their activities, employing various methods to block telemetry from compromised devices. These efforts prevented Sophos from collecting data on ongoing exploits and showcased the attackers’ high level of operational security and awareness. This emphasis on stealth and avoidance of detection underscored the attackers’ intricate understanding of cybersecurity defenses.

Furthermore, the study pointed out that traditional open-source intelligence practices to track data had diminished in effectiveness due to the enhanced operational security measures implemented by these advanced persistent threat groups. This trend underscores the significant resourcefulness and sophistication of the adversaries, who demonstrated exceptional knowledge of device firmware architecture and exhibited a substantial commitment to their malicious activities. These operational security practices represent a new level of challenge for defenders, requiring more advanced and adaptive security measures.

The Need for Increased Collaboration

Over the past five years, the landscape of cyber threats has undergone significant changes, particularly due to the activity of Chinese advanced persistent threat (APT) groups. These state-sponsored actors have evolved their tactics, techniques, and procedures (TTPs) to become more sophisticated and targeted. According to a study by cybersecurity firm Sophos, tracking hacker activity from December 2018 to November 2023, Chinese APT groups have shown increased precision and stealth in their operations.

Previously, these groups were known for conducting broad, indiscriminate attacks aimed at gathering large amounts of data from a wide array of entities. However, a noticeable shift has occurred over the last five years towards more stealthy and precise operations. Now, these groups are focusing on high-value targets and critical infrastructure organizations. They employ refined techniques to maximize impact while minimizing the risk of detection. This transition highlights a significant change in the cyber threat landscape and underscores the increasing sophistication and evolving strategies of Chinese cyber operations.

Explore more

How Will ICP’s Solana Integration Transform DeFi and Web3?

The collaboration between the Internet Computer Protocol (ICP) and Solana is poised to redefine the landscape of decentralized finance (DeFi) and Web3. Announced by the DFINITY Foundation, this integration marks a pivotal step in advancing cross-chain interoperability. It follows the footsteps of previous successful integrations with Bitcoin and Ethereum, setting new standards in transactional speed, security, and user experience. Through

Certificial Launches Innovative Vendor Management Program

In an era where real-time data is paramount, Certificial has unveiled its groundbreaking Vendor Management Partner Program. This initiative seeks to transform the cumbersome and often error-prone process of insurance data sharing and verification. As a leader in the Certificate of Insurance (COI) arena, Certificial’s Smart COI Network™ has become a pivotal tool for industries relying on timely insurance verification.

Why Choose IT Operations Over Software Development?

Choosing Between IT Operations and Software Development In today’s rapidly evolving technology landscape, career decisions in the tech field often boil down to choosing between IT operations and software development. While software development is often celebrated for its high salaries and abundance of job opportunities, IT operations offer a compelling alternative that goes beyond financial considerations. The assumption that software

Wix and ActiveCampaign Team Up to Boost Business Engagement

In an era where businesses are seeking efficient digital solutions, the partnership between Wix and ActiveCampaign marks a pivotal moment for enhancing customer engagement. As online commerce evolves, enterprises require robust tools to manage interactions across diverse geographical locations. This alliance combines Wix’s industry-leading website creation and management capabilities with ActiveCampaign’s sophisticated marketing automation platform, promising a comprehensive solution to

Top Cryptocurrencies to Watch in June 2025 for Smart Investments

Cryptocurrencies continue to reshape financial markets and offer intriguing investment opportunities for those astute enough to navigate this rapidly evolving sector. Each month, the crypto landscape introduces new contenders and reinforces existing favorites that demonstrate potential through unique value propositions and market traction. Understanding the intricacies behind these developments is crucial for investors deliberating their next move in the digital