China the leader in state-sponsored cyberattacks in 2022

China was particularly interested in Ukraine over the course of the year.
21 April 2023

The world’s leading source of state-sponsored cyberattack…

Getting your Trinity Audio player ready...

In Part 1 of this article, we spoke to Mike McLellan, Director of Intelligence at the Secureworks Counter Threat Unit about a seeming rise in reports of business email compromise being used against businesses in 2022 – as revealed by the Unit’s annual report on the cyber-threat landscape. In Part 2, we took a look at the rising tide of attacks based on multifactor authentication fatigue. And in Part 3, Mike explained the somewhat surprising research that revealed a fall in ransomware in 2022 by more than 50%. That left just one area of major concern from the Unit’s report to tackle. The players to watch in state-sponsored cyberthreats in 2023. And that led us, inevitably, to China.


So… China. The situation around China, the US, and Taiwan is increasingly delicate and fraught, but your report says China is the rising star of state-sponsored cyberattacks too?



Yes, it’s interesting what we’re seeing, coming against the backdrop of the likes of the FBI Director and the Director-General of MI5 coming out and saying that they see China as a very significant and enduring threat. Ukraine aside, they still see China as a very big problem. And our data supports the idea that when it comes to state-sponsored cyberattack activity, China dominates in terms of the number of intrusions.

The reasons for that, I think, are fairly obvious. I mean, China has a long-standing policy with strategic objectives, which might be suppression of groups it feels are politically not aligned with the state, it might be theft of intellectual property for defense purposes or economic gain. It might be espionage against foreign governments. And China has long used cyberattack as one component of that kind of activity, combined with more traditional espionage or police activity.

So on one level, it’s no surprise that we continue to see China being very active, and active against our customer base.

Part of the increase might be down to the fact that we’re getting better at identifying that these are Chinese groups behind the intrusions. The state-sponsored groups that we track are clearly making efforts to make it harder to attribute the attacks back to the state. But because of our experience of dealing with these things, we’re quite good at it, so we can still identify those links, even if they’re not as obvious as they might have been 5 or 10 years ago.

We’re identifying more of it. And you don’t have to go too far to see who these groups are targeting. They’re targeting defense, industrial base, governments, regional governments, all those kinds of things. So really, all we see in cyberspace is a manifestation of China’s strategic interests and priorities.

Whether that’s Taiwan or the Southeast Asian region, or whether it’s stealing defense secrets, or Ukraine, or whatever it may be, we still see Chinese cyberactivity following those priorities.

The Ukraine factor.

One interesting thing last year is that we saw evidence of more Chinese cyberactivity targeted around Ukraine, probably because the Chinese government needed to quite quickly understand what everyone was thinking, and get insight into the political dynamic in the area. You sometimes see those very quick shifts. But at other times, you’ll just see very longstanding requirements around defense secrets, and those activities are ongoing.


We wondered about the Taiwan aspect, particularly, and the Ukraine dimension, because they both have the potential to play into larger, on the ground geopolitical tensions.


Yes, that’s interesting. The Chinese interest in Ukraine and trying to gain insight there is not a surprise, I suppose. But it’s interesting to see talk of China and Russia being friendly publicly, when we also see evidence of Chinese groups targeting Russian organizations, and the Russian government.

On Taiwan, I think the kinds of cyber-operations that would enable a military conflict take time to establish – you can’t just drum those things up overnight. You have to spend potentially weeks, months, years positioning yourself to be able to have effect – which is a thing that Russia has discovered in Ukraine. It’s quite hard to do it on the fly.

That means I would imagine that anything China wants to do around Taiwan in terms of positioning itself, it’s already done. I’m sure the Taiwanese government is regularly identifying attempts to penetrate networks, for instance. So heaven forbid, we see some kind of military conflict around Taiwan, but if we do, it’ll be interesting to see if China was able to couple cyber-activity with more kinetic military activity, because the two are quite hard to do effectively.

It’s much easier to blow something up than to try and compromise the network and then have some effect that way. But we’ll see. I mean, hopefully, we won’t, but I’m sure China is thinking about that.

Post-intrusion smokescreens?


It’s been a big year for post-intrusion malware too, no?


Yeah. I think particularly when we look at targeted attacks, so we look at China and where we see state-sponsored or state-affiliated groups are deploying ransomware, it’s either to try and generate some money, because some of these groups are only loosely affiliated with the state, and they’re actually running side hustles to try and generate cash, or it’s to hide espionage activity, which when you think about it makes perfect sense.

If you want to make your attack look like just another opportunistic attack, sign yourself up to a big ransomware-as-a-service scheme. And once you’ve finished stealing what you want, encrypt everything, because it makes it much harder to investigate. People will typically just assume it’s another ransomware event.

So I wouldn’t be surprised if we see more post-intrusion malware deployed. There’s probably been more that happened in the past than we realized, but we’ve certainly been able to link quite a few attacks this year to state-sponsored groups who are using ransomware, probably as a bit of a smokescreen. It’s a fairly blunt way of hiding your tracks, but actually, it is probably quite an effective one.


And why overcomplicate a thing that works? If it ain’t broke, and all that.