Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Espionage
Between mid-2024 and early 2025, a China-linked cyber espionage group carried out a widespread campaign targeting more than 70 organizations across diverse industries, including manufacturing, finance, telecommunications, research, government, energy, food and agriculture, healthcare, and engineering.
The intrusions involved a sequence of related operations beginning in July 2024 and continuing through March 2025. Initial reconnaissance took place in October 2024 during efforts to map internet-facing systems, followed by a targeted attack early in 2025 on an IT services provider responsible for hardware logistics at a cybersecurity firm. In some cases, attackers gained access for extended periods, while others were quickly detected and removed.
Among the victims were a South Asian government agency and a prominent European media outlet. One cybersecurity firm also confirmed it was targeted, though none of its systems were ultimately compromised. Experts attribute this activity to a cluster of China-affiliated threat actors—including groups associated with the designations APT15, UNC5174, PurpleHaze, and ShadowPad—based on overlapping tactics, tools, and infrastructure.
The campaign featured sophisticated techniques, such as deployment of advanced malware platforms and backdoors, operational reconnaissance, and infrastructure overlaps with previously observed espionage activities. These findings highlight a clear priority among Chinese threat actors to infiltrate strategic sectors globally, including even cybersecurity-focused organizations themselves.
Why This Matters
This campaign underscores the depth and persistence of modern cyber espionage, with nation-state-backed groups targeting not only critical infrastructure and government entities, but also private sector firms and cybersecurity companies. The extended dwell times during some intrusions suggest attackers may be preparing for additional operations or data exfiltration.
The involvement of recognized espionage clusters tied to China raises red flags about coordinated targeting of vital industries and services worldwide. Crucially, even firms specializing in cybersecurity were not immune—highlighting that no organization can assume immunity in today’s threat landscape.
