iscover
Nation-state threats led by China have risen in 2024, with preventing a possible US response to an attack on Taiwan and disrupting the AUKUS alliance particular goals of the country’s hacking operations.
Cyber attacks by state-backed Chinese hackers rose remarkably in 2024, with increasingly technically competent threat actors targeting both the public and private sectors.
Of particular concern is that Chinese threat actors have become more skilled and well-resourced and have now effectively achieved “cyber parity” with their counterparts in the West.
“As outlined in our 2025 Global Threat Report, we’ve seen China-nexus activity increase by 150 per cent around the world,” Adam Meyers (pictured), SVP of counter adversary operations at CrowdStrike, recently told Defence Connect.
“What interests and concerns me is that after two decades of investment in their cyber development, China now has parity with the leading cyber nations around the world and have up-levelled what they are doing.
“They are creating specialist groups, for example of the Panda adversaries we track, Operator Panda is focused on the targeting the US telecommunications sector, with Liminal Panda focused on Europe, Africa, Asia, South America. While other Panda adversaries are focused on targeting other specialised industries.
“China is also operationalising their offensive cyber activity and has developed a cyber industrial base that is focused on running operations on behalf of the Chinese government. They have also created affinity networks where they can share information.”
According to Meyers, the Chinese government is also boosting its cyber forces by running bug bounties and specialised education programs. In fact, China is the “number one nation-state cyber threat we see across the globe”, Meyers said.
“China’s aim is to spread its influence and achieve hegemony in the Asia-Pacific region.”
Worryingly, Australia is not immune to the uptick in Chinese activity, particularly given the ongoing AUKUS partnership between the United States, the United Kingdom and Australia.
“China is very concerned about Australia effectively becoming a nuclear sea power,” Meyer said.
“They see the region as their sphere of influence, so any increase in the capacity of one of America’s allies in the region is definitely going to drive Chinese hacking activity.”
“China has developed weapons to target carrier strike groups, but they don’t have a great answer for submarines. So this is an area they seek to get more intelligence on, as they see the US working with Australia to support Australia’s nuclear submarine development.”
Elsewhere in the region, Chinese hackers are preparing for a possible attack on Taiwan and defending against a subsequent American deployment.
“With Vanguard Panda, also known as Volt Typhoon, we have seen them tied to OPE attacks designed to disrupt logistical networks. China seeks the ability to disrupt intervention from a carrier strike group in the INDOPACOM theatre in a conflict over Taiwan, without a shot being fired, with prepositioned attacks,” Meyer said.
Chinese cyber attacks could easily interfere with port operations, refuelling and resupply in the region.
And Meyers agrees with Australian Security Intelligence Organisation chief Mike Burgess who recently said that nation-state attacks and sabotage of defence projects are on the rise.
“Absolutely and also with natural resources – natural resources are something China has struggled with in the past and so we have seen activity in the west of Australia, where a lot of mining occurs,” Meyers said.
“Another area we could expect to see expansion is critical infrastructure and government, including electoral activity and influencing a pro-China agenda.”
North Korean revenue schemes
But while Chinese hackers are probably the biggest global threat in terms of espionage, hackers with links to the North Korean government are using cryptocurrency theft and fake job scams to bring in money to the rogue regime to fund its advanced weapon programs. The threat actor tracked as Famous Chollima by CrowdStrike is particularly adept at running fake IT worker schemes, with fake workers earning multiple wages while doing the minimum possible work to maintain their positions.
“We started tracking Famous Chollima last March doing IT worker operations,” Meyers said.
“They have two versions and objectives: malware operations to exert maximum pressure and generate revenue for the regime through crypto theft, and malicious IT worker operations.”
In the last year, CrowdStrike observed more than 304 Famous Chollima incidents in the past year – 40 per cent of which were insider threat operations.
“These fake workers use generative AI to help them with interview questions and large language models to create entire LinkedIn pages,” Meyers said.
“And since these fake workers are hired as remote workers, they get sent a package with a company laptop and some swag. Then they provide a reason for the laptop to be sent to a different location, like staying with a sick family member, and that’s where you get these laptop farms – it may be a residence, it may be a small cloud hosting business.
“Then they remote access these laptops and the company is none the wiser, as the company believes they are working from a legitimate location.”
These schemes can also take advantage of access to businesses that may host useful data or intellectual property, leading to incidents of insider leaks and opportunities to deploy malware.
Other DRPK-backed groups – such as Labyrinth Chollima, Velvet Chollima and Silent Chollima – have targeted entities in the defence and aerospace industries specifically. However, again, the activity largely revolves around income generation.
What can be done?
Given the increasingly hostile cyber landscape, Meyers said Australian defence contractors should really be focusing on the end-to-end visibility of their networks.
“It’s no longer just about protecting a computer – we now have identity-based attacks, with 52 per cent of vulnerabilities in the last year targeting initial access, we also saw 35 per cent of cloud instructions using identity and compromised identities,” Meyers said.
“Many may have adequate cyber defences, but they may not be looking at identity and cloud, particularly cloud control planes. You need to have your defenders able to see all domains, including the identity stack, end point domains, legacy and unmanaged devices, so they have proper visibility and can do threat hunting across domains.”
Meyers stressed that giving human threat hunters every advantage they can get is the key to what he describes as “hand-to-hand combat”, especially with the growing speed which malicious actors can now move into network.
“Seventy-nine per cent of attacks were malware-free, with hands on keyboard attacks that were driven by humans, which means you need human threat hunters to do hand-to-hand combat.” Meyers said.
“The breakout time between getting access and then moving between devices is dropping significantly with an average of 48 minutes, compared to 62 minutes last year and two years ago it was 84 minutes, while the fastest breakout time was just 51 seconds.
“Once they break out, then you’re in a situation where you aren’t stopping them, but chasing them, so you need to have human threat hunters to counter these attacks.”
