Introduction

With all the recent news about Chinese cyber operations, where they are constantly gaining footholds in critical infrastructure networks, compromising telecommunications networks for espionage activity, and performing IP theft, there are 2 key questions I keep hearing, why is China conducting these activities, and is my organisation a target?

To answer these questions it is important to put the cyber operations into the larger geo-political context. China has clearly stated it’s intent to reunify Taiwan with mainland-China by around 2030. In addition, the Chinese utilise their cyber operations to help achieve their long ranging economic, diplomatic and military objectives. China’s focus includes IP theft to enable their economy, the ability to perform psychological warfare as part of their “Three Warfares” doctrine (including disrupting critical services), and of course traditional espionage.

In an era where digital capabilities and economies define large parts of our economies and thus global power, Chinese cyber espionage operations have not continued as background noise, but they have evolved into an increasingly sophisticated and strategically aligned enabler for China. Recent publicly acknowledged compromises have indicated that China is stepping up not only their espionage focused cyber attacks, but also likely pre-positioning for future disruptive attacks. Additionally, China is continuing to focus on IP theft to act as an enabler for their economy in line with the objectives of the 5 year plan.

These cyber operations now serve as carefully orchestrated components of a broader military doctrine, systematically mapping potential adversaries’ weaknesses while preparing for scenarios that could range from economic coercion to military confrontation. What was once dismissed as merely intellectual property theft has matured into a comprehensive campaign of digital reconnaissance and battlespace preparation, with implications that extend far beyond immediate security concerns into the realm of global economic stability and geopolitical power projection.

Who is being Targeted?

Chinese state-sponsored cyber operations cast a wide net across the global digital landscape, targeting organisations of all types and sizes. Their three-pronged approach — establishing persistent network access, conducting traditional espionage, and stealing intellectual property — represents both an active, ongoing campaign and long-term strategic positioning. Right now, Chinese cyber actors are actively exfiltrating intellectual property, stealing trade secrets, and gathering intelligence from organisations worldwide. This isn’t just preparation for future scenarios — it’s a constant, relentless campaign of economic and industrial espionage happening in real-time. This is based on Chinese doctrine where peacetime and wartime are not as clear cut as it is in Western doctrine. From healthcare startups to aerospace giants, from academic institutions to critical infrastructure operators, no organisation is truly beyond the scope of Beijing’s digital ambitions. While these activities certainly support China’s military doctrine of maintaining access to adversaries’ networks before any potential conflict, the immediate economic damage from intellectual property theft and espionage is already being felt across organisations globally.

The reach of Chinese cyber operations extends far beyond direct targets through sophisticated supply chain compromises. This is a tactic Beijing (and other state sponsored adversaries) have refined for over a decade. The recently uncovered Operation Digital Eye, revealed by SentinelOne’s SentinelLabs and Tinextra, demonstrates that this strategy remains a core strategy of Chinese cyber operations. By compromising managed service providers and IT infrastructure companies, Chinese threat actors gain access not just to one organisation, but to entire networks of downstream clients and partners. This approach isn’t new; Operation Cloud Hopper in 2014 provided the blueprint, targeting managed service providers to infiltrate their clients’ networks in a cascade of breaches that impacted countless organisations around the world. What’s most concerning isn’t just the scale of these supply chain attacks, but their persistence and evolution. Each new campaign reveals increasingly sophisticated techniques, while maintaining the same strategic objective: maximising access and impact by compromising trusted technology providers and their digital supply chains.

China’s cyber operations represent a fundamental capability of the PRC . It is being used simultaneously to achieve multiple strategic objectives: technological theft, critical infrastructure mapping, intelligence gathering, and network persistence. This multi-layered digital campaign demonstrates Beijing’s view of cyber operations as a critical component of their national strategy, particularly in advancing regional ambitions and their Taiwan reunification goals.

For global business leaders, this strategic context demands a fundamental shift in security thinking. The threat isn’t just about protecting individual trade secrets or preventing a single breach — it’s about understanding that in a lot of verticals their organisational strategies and objectives will intersect with China’s strategic and geopolitical ambitions, and as a result they could be targeted or either directly or be used as a conduit for China to achieve their goals.

Organisations must move beyond traditional compliance-driven security approaches that simply check regulatory boxes. Instead, leaders need to adopt a threat-informed, intelligence-led security and risk management strategy that anticipates and responds to sophisticated state-sponsored threats. This means actively analysing and understand threat intelligence, understanding adversary tactics and motivations, and making security investments based on real-world attack patterns rather than just compliance requirements. Whether you’re a technology provider, a manufacturing company, or a services firm, your position in the global supply chain requires a proactive security posture that aligns with the actual threats you face.

Evolution of Tactics and Capabilities

This year the 5-eyes intelligence services unveiled numerous, highly sophisticated Chinese directed campaigns at maintaining persistence in target networks for the purposes of espionage, and potentially disruptive attacks. This included the compromise of telecommunications providers, critical infrastructure and managed service providers.

Chinese state-sponsored cyber operations remain a sophisticated and persistent threat, demonstrating both tactical evolution and strategic consistency. Just this year the 5-eyes intelligence services unveiled a number of highly sophisticated Chinese directed campaigns at maintaining persistence in target networks for the purposes of espionage, and potentially disruptive attacks. Looking at campaigns a decade apart — Operation Cloud Hopper (2014) and Operation Digital Eye (2024) — provides insight into how their cyber capabilities continue to evolve while maintaining core strategic objectives.

The strategic intent of gaining persistent access to target networks for espionage, intellectual property theft, and potential disruptive capabilities has remained constant. However, the technical sophistication and operational security measures employed have advanced significantly. Cloud Hopper relied heavily on custom malware, traditional command and control infrastructure, and more detectable attack patterns. In contrast, Digital Eye showcases China’s shift toward sophisticated “living-off-the-land” techniques, abusing legitimate development tools and cloud infrastructure including Visual Studio Code Remote Tunnels and Microsoft Azure services. This evolution makes detection and attribution significantly more challenging as malicious activities blend with legitimate business operations.

A key finding from examining these operations is China’s continued focus on strategic points of compromise — targeting organizations that provide maximum return on investment through their access, data, or position in the supply chain. The evolution in tactics demonstrates China’s increasing sophistication in achieving these objectives, with modern campaigns showing advanced operational security, deliberate infrastructure choices (such as geographically aligned hosting), and sophisticated abuse of trusted tools and services.

The technical advancement from custom malware to abusing legitimate tools, along with the persistent strategic focus on high-value targets, indicates that cyber operations remain a key component of China’s national strategy. This constant evolution in capabilities, backed by significant investment in both tools and personnel, suggests Chinese cyber operations will continue to present a sophisticated threat requiring equally sophisticated detection and response capabilities and are being in concert with China’s strategic objectives.

Business Impact and Risk Landscape

China’s cyber operations represent a pervasive threat that extends far beyond traditional high-tech or defence sectors. The 14th Five-Year Plan reveals China’s strategic interests across virtually every major industry vertical. The scope of strategic interest includes but is not limited to:

• Advanced manufacturing and automation
• Healthcare and biotechnology
• Agricultural technology and food security
• Renewable energy and clean tech
• Supply chain and logistics
• Public safety and smart city technologies
• Emerging technologies like AI, quantum computing, and robotics
• Infrastructure and telecommunications

This expansive targeting creates two critical risk factors for organisations:

Direct Risk: If your organisation develops, researches, or holds intellectual property in any of these sectors, you face direct risk of Chinese cyber operations targeting your valuable data. This could result in a loss of competitive advantage or market displacement, as stolen IP enables Chinese competitors to bypass years of R&D investment. The impacts of this vary from organisation to organisation, but it is critical to make an informed risk management decision.

Supply Chain Risk: Even if your organisation doesn’t directly hold targeted IP, you may still be at risk through your business relationships. China has repeatedly demonstrated willingness to compromise organisations along the supply chain to reach their ultimate targets. This includes:

• Service providers and contractors
• Software vendors and technology partners
• Professional services firms
• Infrastructure providers
• Logistics and distribution partners

This means cybersecurity can no longer be viewed as just an IT issue, and requires a threat intelligence informed approach to risk management. It requires:

1. Understanding your organisation’s place in the broader supply chain ecosystem
2. Assessing both direct risks and potential value as a stepping stone to other targets
3. Implementing security controls based on realistic threat scenarios rather than just compliance requirements
4. Developing incident response plans that account for sophisticated state-sponsored actors
5. Regular evaluation of third-party risk and supply chain security

The persistence and sophistication of Chinese cyber operations, combined with their broad strategic interests, means organisations must adopt a mindset that assumes compromise attempts are likely, if not inevitable. It is also important to note that whilst I am mainly talking about cyber operations, it is important to call out the Chinese IP theft is a hybrid threat. It is not just restricted to cyber, but there is a long history of human intelligence being used to steal IP, along with IP acquistion through transfer as part of Joint Ventures. This requires shifting from traditional perimeter-focused security to a comprehensive, threat-informed approach that can detect and respond to sophisticated adversaries, including potentially insiders, that are already operating within your network.

China’s cyber operations have expanded beyond traditional espionage and intellectual property theft. They are increasingly targeting critical infrastructure, but with a broader definition of what constitutes “critical.” This shift appears aimed at developing capabilities that could disrupt daily civilian life during potential conflicts, either diplomatic, economic or kinetic (traditional warfare).

The strategy appears to have two layers:

1. Traditional critical infrastructure targets like power grids, water systems, and transportation networks
2. Everyday services that, if disrupted, could create social instability — including gas stations, supermarkets, telecommunications, and retail supply chains

The goal seems to be developing options for psychological warfare that could:

• Disrupt normal civilian life
• Weaken social cohesion
• Reduce public support during conflicts
• Create leverage during international disputes

This expanded targeting approach aligns with assessments that China is preparing various options for potential Taiwan scenarios around 2030 and is part of China’s Three Warfare’s doctrine. While these sectors might not hold valuable intellectual property, their disruption could significantly impact public morale and stability.

For business leaders, this means organisations previously considered “non-critical” may now need to reassess their security posture, particularly if they provide services essential to daily civilian life.

Risk Mitigation

Managing China-related business risks requires a nuanced approach that recognises both opportunities and challenges. While China remains a vital trading partner and manufacturing hub critical to global economic stability, organisations need sophisticated risk management strategies that account for:

1. Supply Chain Resilience

• Map dependencies on Chinese and regional suppliers
• Understand how cyber disruptions or regional conflicts could impact operations
• Consider strategic diversification while maintaining crucial Chinese partnerships
• Develop contingency plans for supply chain disruptions
• Balance cost benefits against potential operational risks

2. Business Continuity Planning

• Assess how regional tensions could affect joint ventures and local operations
• Understand the impact of potential shipping disruptions in the South China Sea
• Plan for scenarios where cyber incidents affect your or your suppliers
• Consider how trade restrictions might affect technology transfers
• Maintain alternative manufacturing or sourcing options where critical

3. Risk-Informed Decision Making

• Use threat intelligence to inform investment and partnership decisions
• Understand which assets are most attractive to cyber operators
• Monitor geopolitical developments that could affect business operations
• Assess the full risk picture — not just cyber, but also operational and strategic risks
• Make partnership decisions based on complete risk/reward analysis

The key is maintaining productive business relationships while building resilience against potential disruptions. This means using threat intelligence not just for cyber defence, but to inform broader business strategy and risk management decisions.

A threat-informed defence approach is essential for modern cybersecurity teams tackling not just Chinese threats, but all cyber adversaries. This means moving beyond generic security controls to build defences based on actual adversary tools, techniques and procedures (TTPs). Organisations should leverage threat intelligence to understand what TTPs are most relevant to their industry and operating environment. Then focus their detection and response capabilities accordingly. This enables security teams to prioritise investments where they’ll have the most impact. Ensure your capabilities, are focused on adversary tactics (whilst still meeting compliance requirements). It is important to develop incident response plans based on real-world scenarios rather than theoretical threats. The key is creating an adaptive security program that continuously evolves based on new intelligence, allowing organisations to shift from reactive to proactive defence. By embedding threat intelligence into daily security operations and translating it into business risk language, security teams can better align their efforts with genuine threats and demonstrate clear value to business leadership. This approach helps organizations make risk-informed decisions about security investments and focus limited resources where they matter most.

Looking Ahead

The breadth and scale of Chinese cyber operations are hard to quantify, but it is believed they have between tens to hundreds of thousands of operators either directly or in-directly employed. There is no typical Chinese model of cyber operation due to the rapid evolution of their capabilities, siloing between organisations and breadth of targets. As we get closer to 2030 we would expect the tempo of operations to increase. As the democratic protests increased in Hong Kong in the 2019’s there was a corresponding increase in cyber attacks against civil society. As tensions in the Asia-Pacific region continue to increase it is quite likely we will start to see a corresponding increase in cyber operations, probably increasingly in support of physiological warfare or military objectives. Whilst we all hope peace and a sense of norms prevails, it is best to plan for the worst and hope for the best. As a result it’s critical organisations start looking at how to shift their risk management and cyber security mindset to one of threat informed defence today.

Conclusion

As we approach 2030, Chinese cyber operations are likely to increase in both sophistication and frequency. Organizations must adapt their security and risk management approaches to address this evolving threat landscape while maintaining necessary business relationships with Chinese partners and suppliers. Success requires moving beyond traditional security models to adopt threat-informed defence strategies that align security investments with actual risks. While the challenges are significant, organisations that understand the strategic context, implement comprehensive risk management, and evolve their security programs will be better positioned to protect their interests while navigating the complex global business environment.