Keypoints
- The People’s Liberation Army (PLA), Ministry of State Security (MSS) and Ministry of Public Security (MPS) are the principal state actors in China’s offensive cyber operations.
- Since 2021, activity attributed to China has been more prominently linked to the MSS than to the PLA.
- Patriotic hacker groups evolved from independent hacktivism into professional roles supporting state-aligned operations, contributing tools and payloads.
- Private companies — from large tech firms to smaller niche providers like I‑SOON — increasingly supply offensive capabilities and exploit development.
- The hack‑for‑hire ecosystem has expanded, with provincial and municipal state actors subcontracting offensive services to private entities.
- Outsourcing and Military‑Civil Fusion (MCF) policies have complicated attribution, producing operations that mix state and private actors.
MITRE Techniques
- [T1071] Command and Control – Uses multiple command-and-control domains to maintain communications with compromised systems. [‘Utilizes multiple command and control domains to maintain communication with compromised systems.’]
- [T1190] Exploitation of Public-Facing Applications – Exploits vulnerabilities in internet-facing apps to gain access. [‘Targets vulnerabilities in publicly accessible applications to gain unauthorized access.’]
- [T1003] Credential Dumping – Extracts account credentials from operating systems and applications to escalate access. [‘Extracts account login information from operating systems and software.’]
- [T1486] Data Encrypted for Impact – Deploys encryption to disrupt access and potentially extort victims. [‘Encrypts data to disrupt access and extort victims.’]
- [T1195] Supply Chain Compromise – Targets third‑party software or hardware as a vector to reach primary targets. [‘Targets third-party software or hardware to gain access to a primary target.’]
Indicators of Compromise
- [Malware] Names referenced in development and operations – PlugX, ShadowPad.
- [Organization/Leak] Company and actor references in reporting – I‑SOON leak revealing hack‑for‑hire practices, and provincial MSS/MPS departments cited as actors.
China’s offensive cyber ecosystem blends institutional military and intelligence units with private firms and former patriotic hackers. The PLA, MSS and MPS remain central, but reporting shows a clear shift since 2015 toward MSS‑linked operations and a growing reliance on provincial departments that can act with relative autonomy.
Patriotic hacker communities that once conducted ad hoc hacktivism have been professionalized under policies like Military‑Civil Fusion, contributing to malware and payload development (notably PlugX and ShadowPad). Many individuals now operate inside private companies or in hybrid roles, and some engage in parallel criminal activity.
At the same time, private companies — from established tech giants to niche providers such as I‑SOON — supply offensive capabilities and help weaponize collected vulnerabilities. This subcontracting and outsourcing, along with supply‑chain targeting, makes attribution harder and produces China‑nexus APT activity that often reflects cooperation between state and private actors rather than a single, discrete unit.