Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese Spying Drops in Volume, Becomes More Focused

Chinese cyberspies continue to target organizations in the United States and other countries, but their activities have dropped in volume and have become more focused and calculated, according to a new report from FireEye.

Chinese cyberspies continue to target organizations in the United States and other countries, but their activities have dropped in volume and have become more focused and calculated, according to a new report from FireEye.

The security firm has observed the activities of 72 China-linked groups since early 2013. These threat actors are believed to be responsible for a total of 262 successful attacks, including 182 incidents affecting U.S. entities. Their attacks were also aimed at 25 other countries in Europe, Asia, South America, Africa and the Middle East.

FireEye started seeing a drop in successful attacks in mid-2014, a trend attributed by researchers to several factors. The United States government started taking action against cyber espionage – the Department of Justice indicted PLA officers, President Barack Obama signed an executive order authorizing sanctions against individuals and entities, and some reported that the government had been preparing economic sanctions against China. In September 2015, President Obama and his Chinese counterpart, President Xi Jinping, agreed not to conduct cyber espionage for economic gain.

In the period leading up to the meeting between Xi and Obama, FireEye observed an even more significant drop in activity and the volume of attacks continued to remain at low levels until now.

While China’s cyberspying might have decreased in volume, attacks are still being launched – although they have apparently become more focused and calculated. Between September 2015 and June 2016, the security firm spotted 13 active China-based groups conducting attacks against corporations in the United States, Europe and Japan.

The list of U.S. targets included aerospace, software, high-tech, healthcare, and government services companies. In Europe, attackers targeted logistics and consulting companies. The most recent attacks conducted by three of the 13 groups were aimed at four companies involved in the manufacturing of semiconductors in the U.S., Europe and Asia.

Other groups operating from China have been seen targeting organizations in Russia, Mongolia, South Korea, Taiwan, Hong Kong and Vietnam.

In addition to the actions taken by the United States, FireEye believes the drop in activity can also be attributed to President Xi’s political and military initiatives, and the widespread exposure of Chinese cyber operations by the infosec community.

Advertisement. Scroll to continue reading.

“We have not seen evidence of a coordinated shift in the behavior of recently active China-based groups—tactical changes appear to be specific to each group’s mission and resources, and in response to public exposure of its cyber operations,” FireEye said in its report.

Russian security firm Kaspersky Lab has confirmed that Chinese-speaking threat actors continue to launch attacks.

“From our more global perspective, activity that has been associated with Chinese speaking groups continues. In many cases, we have seen Chinese speaking groups increase their activity in other parts of the world, including Russia,” Kurt Baumgartner, principal security researcher at Kaspersky, told SecurityWeek. “Over the past year, APTs subjected to significant public exposure only slightly changed their toolset and continued on with their activity.”

Symantec said it had observed an immediate decrease in tactics, techniques and procedures (TTPs) against the United States after the Xi-Obama agreement.

“However, we still continue to see a small amount of activity continuing after September 2015. This small trickle of continuing activity could be explained by the time needed for attackers to cease operations in relation to the US-China cyber agreement in September 2015,” the company told SecurityWeek.

“Some operations just can’t be wound down overnight. Alternatively, what we are seeing could just be part of the normal ebb and flow of attacks. However, since the start of 2016, we have been in a distinct trough of activity,” Symantec added. “It should be noted as well that we continue to see TTP data associated with China involved in general cybercrime activity.”

Related: Chinese Attackers Conduct Cyberespionage for Economic Gain

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.