Keypoints
- State-backed Chinese actors have matured, coordinating operations to exploit both known and zero-day vulnerabilities in public-facing security and network appliances.
- Operators prioritize operational security and anonymity, reducing visibility and increasing difficulty of detection.
- Economic espionage has become more targeted, supporting strategic and geopolitical objectives (e.g., Belt and Road Initiative, regional influence).
- Exploitation of zero-days in public-facing devices is an effective initial-access technique and will likely extend to cloud environments as organizations migrate.
- A vulnerability-centric defensive posture is insufficient; detecting post-exploitation activities requires layered, in-depth defenses and better monitoring.
- Intelligence gathering and strategic reconnaissance are increasing in contested regions such as the South China Sea and Taiwan, and targeting critical infrastructure is often preparatory.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploited vulnerabilities in externally exposed appliances and services to gain access (‘…focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances.’)
- [T1203] Exploitation for Client Execution – Used zero-day flaws to achieve code execution on target devices and appliances as an initial access vector (‘…growing focus on exploiting zero-day vulnerabilities in public-facing appliances…proven an effective tactic for gaining access…’)
- [T1595] Active Scanning – Conducted reconnaissance and scanning to identify vulnerable public-facing systems and cloud targets (‘…increased intelligence gathering and strategic reconnaissance activities.’)
- [T1564] Hide Artifacts – Employed operational security and anonymity techniques to avoid detection and attribution (‘…placed a strong emphasis on operational security and anonymity, making it harder to detect their activities.’)
- [T1583] Acquire Infrastructure – Committed resources to build and maintain offensive infrastructure supporting long-term cyber operations (‘…significant commitment of resources to offensive cyber operations…poised to become a dominant global force…’)
- [T1059] Command and Scripting Interpreter – Performed post-exploitation actions that require improved detection of post-compromise behaviors (‘…need for better defensive in-depth measures to detect post-exploitation activities.’)
Indicators of Compromise
- [Domain] Report and hosting domains referenced – recordedfuture.com, go.recordedfuture.com (report hosting and original analysis)
- [File/Report] Report and PDF file names – go.recordedfuture.com/hubfs/reports/cta-2023-1107.pdf (full report PDF), cta-2023-1107.pdf
- [Media] Image assets used in article – cms.recordedfuture.com/uploads/charting_chinas_climb_leading-chart.png, and other image files
Chinese state-sponsored operators increasingly use a technical approach centered on exploiting externally exposed devices and appliances: both known CVEs and zero-day vulnerabilities in network/security appliances are leveraged as primary initial-access vectors. These intrusions rely on targeted exploitation to gain execution and footholds, with operators favoring novel zero-day exploits to maximize access and bypass conventional patch-based defenses. The activity profile also shows active reconnaissance and scanning to locate vulnerable public-facing systems, and a likely extension of these techniques into cloud services as organizations migrate infrastructure.
Operational security and anonymity are core procedural elements: actors deliberately harden their operational workflows to reduce observability and attribution, complicating detection and response. This emphasis, combined with focused post-exploitation activity, reduces the effectiveness of vulnerability-centric defenses; the report stresses the need for layered, defense-in-depth capabilities that detect and investigate post-compromise behaviors rather than relying solely on patch management.
Given the resources allocated to these operations and the strategic targeting of critical infrastructure and cloud environments, defenders should anticipate persistent reconnaissance and exploitation campaigns aimed at long-term intelligence collection. The technical implication is clear: prioritize monitoring for exploitation patterns on public-facing appliances, improve detection of post-exploitation artifacts, and adopt multi-layered controls to address sophisticated, anonymity-aware adversaries.
Read more: https://www.recordedfuture.com/charting-chinas-climb-leading-global-cyber-power