Starter
In the previous RIA cybersecurity annual review, we wrote that the cyber groups of the People’s Republic of China are likely the most capable anti-Western forces in the world at conducting complex cyber operations.
In 2025, we saw this trend intensify, with China’s cyber activity expanding in reach and scale – from global espionage and attack campaigns to pre-positioning in Western critical infrastructure.
China’s activity in cyberspace is characterised by advanced technical capabilities, rapid exploitation of vulnerabilities (including zero-day vulnerabilities), a global scope of operations, and support for China’s national ambitions.
Sweet-and-sour chicken
In 2025, dozens of cyberattacks were attributed to state-backed attackers from China, known as advanced persistent threats (APTs). These groups mainly targeted government bodies, telecommunications companies and (defence) industrial firms, but companies in other sectors were also affected.
Their primary goal is to gain access to sensitive data to derive economic, political, and military advantage. In January, for example, Taiwan reported that Chinese attacks against the country had doubled, with government bodies and telecommunications firms hit in particular. In May, the United Kingdom’s cybersecurity authority declared that it considered China the primary threat to national cybersecurity, as Chinese groups had targeted government bodies, critical infrastructure and members of parliament. Estonia’s foreign ministry also condemned these attacks. According to the assessment of the US Director of National Intelligence, China is the most active and long-term cyber threat to the United States.
In May, the Czech Republic attributed an attack to the Chinese group APT31 for the first time, stating that the campaign had targeted the Czech foreign ministry. France’s cybersecurity authority published a report on an attack campaign it calls Houken, which targeted France’s government sector and private companies. These are only a few examples, but they illustrate the scale of China’s state-backed cyberattack campaigns.
Reports of pre-positioning also continued. For example, the US Cyber Command discovered Chinese malware on the networks of several Latin American countries. The concept of pre-positioning gained wider attention in 2024, when US authorities accused Chinese cyber groups of infiltrating various networks. The suspected aim is to position themselves so that, at a chosen moment, they can disable critical infrastructure and disrupt the day-to-day functioning of the targeted state and its population. The Salt Typhoon campaign, which received extensive coverage in 2024 and targeted the telecommunications sector, did not subside. On the contrary, it expanded: instead of the eight companies initially identified, more than 600 companies across 80 countries have now been targeted.
China also remains the biggest exploiter of zero-day vulnerabilities. In 2025, for example, Chinese cyber groups actively exploited vulnerabilities in Ivanti VPN devices in March, SAP NetWeaver in April, Ivanti Endpoint Manager in May and Microsoft SharePoint in July. The Microsoft SharePoint vulnerability was used to attack more than 400 organisations worldwide, including US government agencies.
Chinese chopsticks, or 筷子
The modus operandi of Chinese cyber groups is to gain access to networks and remain undetected for as long as possible. They often attempt to move from one system to another by exploiting the fact that devices or systems already trust each other. In 2025, nearly 75% of the analysed Chinese cyberattacks were malware-free, meaning that attackers gained access either by exploiting vulnerabilities or by using stolen login credentials. This technique, known as Living off the Land (LotL), makes intrusion attempts harder to detect.
Another trend is the continued exploitation of vulnerabilities in edge devices and cloud platforms. This was also highlighted in a public advisory issued in September by the United States and its allies, with contributions from several dozen intelligence and cybersecurity agencies.
The European Union Agency for Cybersecurity (ENISA) notes in its annual report that
a growing number of Internet of Things (IoT) devices, including routers, are being abused. The Chinese group Flax Typhoon exploited the Quad7 botnet, which consisted of thousands of TP-Link routers in Europe.
Another example is botnet BADBOX 2.0. According to Google, it contained more than 10 million infected home devices that cybercriminals could use to carry out malicious activity. Estonia was not spared either – at the height of the campaign, more than 7,000 infected devices were identified in Estonia. In many cases, malware had been installed on devices before they were sold, or users infected their devices by downloading Android apps from unofficial sources. Most such devices originate from China.
Another characteristic is that Chinese groups share tools with each other. This often makes it difficult to attribute a specific tool to a specific actor. For this reason, recent attributions have increasingly focused less on identifying a single group and more on naming Chinese companies that facilitate cyberattacks.
DeepSeek and the End of the 'Free Lunch'
The United States and China are engaged in a technological race, with AI as its most visible front. At the start of 2025, the Chinese company DeepSeek surprised the public with a new large language model, which was reportedly developed at a fraction of the cost of Western equivalents. Yet it did not lag behind the Western language models of the time in capability. In the United States, DeepSeek’s announcement was described as a “Sputnik moment” in the AI field, as it became clear that China might not only catch up in AI development but also pull ahead.
The potential advantages of using DeepSeek’s language models are straightforward: they are powerful, relatively open, inexpensive, and fast, and can be used across applications, services, and businesses. DeepSeek’s own terms of use state that it collects data, uses it to train the model and shares it with other service providers. Under Chinese law, it must also share all data with China’s government and intelligence agencies. DeepSeek’s language models also censor topics that are uncomfortable for the Chinese Communist Party, such as the Tiananmen Square massacre in the summer of 1989.
None of this means that Chinese applications should always be avoided. It is important to remember, however, that there is no such thing as a free lunch. In government bodies and other critical organisations, RIA recommends that DeepSeek applications not be used on work devices. Sensitive information should not be entered into them either. Every user should think carefully about what information they share with technology companies.
Spills in the kitchen
In November, more than 12,000 classified documents were leaked from the Chinese software company Knowsec. The leak revealed how the company compromised more than 80 targets worldwide. It also showed that Knowsec has malware and trojans for all major operating systems – Windows, Linux, macOS, iOS and Android.
A second leak contained personal data and transaction information relating to members of the Salt Typhoon group. A third described how China exports its internet model to other countries, enabling mass surveillance of citizens. A fourth leak revealed how Chinese companies use AI to run information operations in the political sphere.
These leaks show that the Chinese state relies on the help of private companies to conduct malicious cyber operations. At the same time, this gives the state room to distance itself from attacks, since the operator is a private company rather than a state body.
Chinese food in Estonia
In 2025, Estonia also came within the scope of China’s cyber activity. It is important to recognise that when a vulnerability is disclosed and actively exploited elsewhere, vulnerable devices are likely to be present in Estonia as well. It is only a matter of time before a malicious group finds them. To RIA’s knowledge, several vulnerabilities that Chinese cyber groups actively exploit have also been tested in Estonia and, in some cases, successfully exploited.
We would like to remind readers that rapid patching and good cyber hygiene help prevent a significant proportion of cyber threats. Estonian companies are also being impersonated in SMS phishing campaigns created by Chinese cyber criminals, and we have been targeted by phishing emails from China’s state-backed attackers as well.
'When many gather firewood, the flame will rise high' – a Chinese proverb
More and more Western countries are describing China as a cyber threat in increasingly explicit terms and attributing cyberattacks to it. Joint statements have been issued by the Czech Republic, the United Kingdom, France, the United States and others, and the tactics used by Chinese hackers have been described in detail. We should prepare for Chinese cyberattackers to increasingly use AI to identify and exploit vulnerabilities more quickly.
What can we do to counter cyber threats originating from China? Patch vulnerabilities faster, monitor what is happening in our networks, and strengthen domestic and international cooperation.
Twelve years of China’s state-backed cyber groups
In February 2013, the cybersecurity provider Mandiant published a report that shook the cyber world. It described a clandestine Chinese hacking group behind numerous espionage operations. The group was named APT1 and was linked to Unit 61398 of the People’s Liberation Army.
The report described how the group stole hundreds of terabytes of data from nearly 150 organisations in more than 20 countries. It also named individuals who were behind the attacks. This was the first attribution of its kind, after which Western governments and companies began to speak much more openly about cyber threats. The issue became one of the main topics discussed by US and Chinese leaders in 2015. The two powers agreed that they would no longer engage in cyber-enabled intellectual property theft, and the pact became known as the Obama–Xi Cyber Agreement. Unfortunately, the agreement was short-lived.
Over the following 12 years, dozens of Chinese state-backed hacking groups were discovered. Analysts believe that China has the largest number of state-supported cyber groups. While it is difficult to give an exact number, there are thought to be at least 60. By comparison, the total number of groups linked to other major anti-Western cyber powers – such as Russia, Iran and North Korea – is believed to be fewer than 30.
In Chinese culture, time is traditionally measured in 12-year cycles. In 2025, 12 years after the first APT report was published, a new actor was added to the list of China’s state-backed hacking groups: Phantom Taurus. While APT1-type groups had a broad scope and sought to collect as much data as possible, newer groups tend to carry out more targeted attacks, aiming to remain hidden within an organisation’s or company’s network for as long as possible. Phantom Taurus uses novel tools that have not previously been observed among Chinese groups. Notably, Phantom Taurus operated for two and a half years without being detected.
Last updated: 11.02.2026
