As digitalization progresses, the landscape of international security has changed considerably. The activities of state-supported hacker groups in particular are increasingly becoming the focus of global attention. One of these groups, which has become particularly prominent in recent years, operates from China.
These hackers, often directly or indirectly linked to the Chinese government, are known for their efforts to gain technological and economic advantages through cyber attacks. In this blog post, I will address the topic in a casual style.
Executive Summary
What are the key findings when it comes to hacker attacks and espionage from China?
- Historical and current activities: Over the years, Chinese hacking groups, often with suspected links to the Chinese government, have focused on industrial espionage. One example of this is the attack on Volkswagen, in which an estimated 19,000 files on e-mobility and drive technologies were stolen between 2010 and 2015.Strategic goals and motivations: Chinese cyber activities aim to gain technological and economic advantages by stealing intellectual property and trade secrets from foreign companies. This is part of a broader strategy to help China become a leader in various high-tech fields.
- Methods and approaches: Hackers use a variety of methods, including phishing attacks, malware and exploiting vulnerabilities in software and networks. The operations are often carefully planned and directed against specific targets that are of strategic importance to the Chinese government.
- Political and economic implications: China’s cyber activities have not only economic but also political dimensions. They influence the global balance of power and lead to tensions between China and other nations, particularly the USA and European countries.
- Countermeasures and protection strategies: In the face of advancing threats from Chinese hackers, work is underway internationally to improve cyber security measures. This includes better defense strategies, strengthening IT infrastructures and international cooperation to combat cybercrime.
At a glance: The Chinese cybercrime ecosystem
The Chinese cybercrime ecosystem is a complex network of state-sponsored hackers, cybercriminals and illegal trading platforms. This system is geared towards both national interests and financial gain through criminal activities.
The close integration of state agencies and criminal actors creates an environment in which cybercrime thrives and is difficult to combat. It is a complex and multifaceted network of state-sponsored hackers, criminal actors and illegal trading platforms. The close links between government agencies and cybercriminals create a dangerous environment that is difficult to combat.
Key players and platforms
- APT groups: The most well-known Advanced Persistent Threat (APT) groups include APT41, APT40 and APT31. These groups are directly or indirectly supported by the Chinese state and are known for their sophisticated cyberattacks, which include espionage, sabotage and data theft. For example, APT41 (also known as Double Dragon) has been linked to over 100 global cyberattacks and pursues both state and individual financial goals
- Dark web and underground forums: Chinese language forums such as “Hacker Door Forum”, “Evil Octal Forum” and “52Poie Forum” are central hubs for the exchange of hacking tools, stolen data and other illegal goods and services. These forums allow cybercriminals to operate anonymously and coordinate their activities. Despite strict internet regulations and surveillance by the Chinese government, many users manage to access the deep and dark web
- Telegram: This encrypted messaging platform is often used by cybercriminals to communicate securely, coordinate attacks and trade stolen information. Telegram’s secure environment makes it difficult to track and stop criminal activity
Influence of government support
The Chinese government plays a significant role in supporting and promoting cybercrime. State-sponsored hacker groups such as APT41 and APT40 are often funded by the government and operate under the protection of state agencies. These groups carry out cyberattacks that serve China’s strategic interests, such as the acquisition of intellectual property and the surveillance of dissidents and minorities.
Illegal trading networks
The illegal trade in personal data is a central part of the Chinese cybercrime ecosystem. According to reports, the value of the black market for data amounted to 100 to 150 billion yuan in 2022, and this figure rose to over 150 billion yuan by January 2024. These trading networks affect not only Chinese organizations, but also international companies and individuals.
Players from the Chinese region
In fact, you can create a kind of “who’s who”, which is also useful to put the players in a certain context.
In the following, I provide an overview of the better-known and more significant hacker groups from China – including those where there are alleged indications of state tolerance or direct state relations. Of course, it must be made clear that the groups named here can only represent a part of the cyber activities reported from China. However, even this selection illustrates the broad spectrum and the deep integration of these operations into China’s national security and development strategies:
- APT1 (Advanced Persistent Threat 1): Also known as the “Comment Crew” or “Shanghai Group”, this group was described in detail in a 2013 Mandiant report. APT1 is suspected of being directly linked to the Chinese People’s Liberation Army (PLA), in particular Unit 61398, and has conducted a wide range of industrial espionage activities, mainly against US companies.
- APT10 (Stone Panda): This group is known for its large-scale cyberespionage campaigns against companies and government agencies in the US, Europe and Japan. APT10 is said to be linked to the Chinese government, particularly with regard to its “Cloud Hopper” operation, which targeted managed service providers (MSPs) in order to gain broad access to corporate and government networks worldwide.
- APT40 (Periscope/Leviathan): Focused on maritime industries and technologies of strategic interest to Chinese naval power. There is strong evidence that APT40 is supported by the Chinese government, possibly in connection with the Chinese navy or its affiliated state bodies.
- Winnti Group: This group is best known for attacks on the gaming industry and software companies, primarily involving the theft of source code and digital certificates. Winnti is also associated with operations aimed at gathering political information and stealing intellectual property. Indications of state support or tolerance are given by the selection of their targets and the resources available for their operations.
- Red Apollo (APT10): Another group operating under the name APT10 specializes in long-term infiltration and espionage, particularly against governments and large companies in various sectors. Their activities are often seen as part of a broader Chinese effort to acquire global economic and defense secrets.
- Naikon (APT30): This group primarily targets government organizations in the APAC region, including diplomatic and military targets. There is strong evidence that Naikon receives support from a Chinese intelligence agency, given the nature of its targets and the timing of its operations, which often coincide with geopolitical tensions.
Motivation for hacker attacks and (economic) espionage
Chinese hackers and spies pursue a variety of goals that are deeply embedded in China’s broader strategy for economic development, national security and geopolitical power. The activities of Chinese hackers and spies, based on various studies and analyses I have read, are deeply rooted in China’s strategic goals of economic growth, technological superiority and a strong global position.
These operations reflect the complex and often confrontational nature of international relations in the digital age and raise important questions about global security and stability. The main objectives and underlying motivation of these activities can be divided into several main categories:
Economic advantages
Industrial espionage is one of the primary targets of Chinese cyber operations. By penetrating the networks of companies and organizations, particularly in high-tech industries such as semiconductor manufacturing, pharmaceuticals and renewable energy, Chinese hackers aim to steal valuable data. This includes trade secrets, blueprints, intellectual property and other competitively sensitive information. The drive behind these activities is the desire to reduce development costs, shorten the time to market for new products and ultimately strengthen the competitiveness of Chinese companies on the global market.
Technological progress
Through hacking and espionage, China is trying to gain access to advanced technologies that would otherwise be difficult to access. This supports China’s ambitions to become a leader in key technologies such as artificial intelligence, quantum computing and space technology. This is also part of the “Made in China 2025” strategy, which aims to make China a world leader in a number of high-tech industries.
Influencing public opinion and political processes
Chinese cyber activities are also aimed at influencing political outcomes in other countries or manipulating public opinion. This can be done through disinformation campaigns, the hacking of voting computers or the leaking of politically sensitive information. Such operations are intended to promote China’s geopolitical interests and weaken the position of its rivals.
Surveillance and political and military superiority
Another objective is to gather information relevant to national security and the strengthening of military capabilities. This includes collecting data on foreign governments, military strategies, defense plans and technological advances. This type of espionage helps China to understand potential weaknesses and strategies of adversaries and to plan appropriate countermeasures.
Another important goal is the surveillance of dissidents, human rights activists and ethnic minorities both inside and outside China. Cyber operations enable Chinese authorities to monitor communications, create movement profiles and identify and neutralize potential threats to the communist regime at an early stage.
LIABILITY OF THE MANAGEMENT BOARD IN THE EVENT OF A HACKER ATTACK FROM CHINA?
In a scenario in which a company is attacked by Chinese hackers, the management could actually be held liable for the damage caused. This is closely related to the compliance requirements enshrined in German IT security law and the responsibility of management in the area of cyber security.
According to German IT security law, in particular the new IT Security Act (BSIG) and the NIS 2 Directive, explicit responsibilities are defined for the management. The management must not only approve the risk management measures to fulfill the legal requirements for IT security, but also monitor their implementation. This responsibility cannot be delegated to third parties, and if these duties are breached, the management can be held liable in the event of a security incident. The management’s liability presupposes that it has breached its duty of care.
If a company neglects to take appropriate technical and organizational measures (TOM) to secure its IT systems or does not comply with current technical standards and a cyber attack causes damage that could have been prevented by such measures, this can lead to management liability. In addition, managers must regularly attend training courses to improve and keep their knowledge of cyber risks and management up to date. Failure to comply with these regulations and the possible resulting inadequate preparation or response to a cyber-attack could also lead to liability.
Phenotype of Chinese hackers
The phenotype of the average Chinese hacker, especially when it comes to state-sponsored or tolerated actors, is indeed different from the stereotype often portrayed in the media of a loner sitting isolated in front of a computer. The attacks on Volkswagen in particular, which were allegedly carried out by state hackers from China, present a picture that is more akin to a regular working environment.
Regulated working day
Chinese state hackers are often part of organized units that function structurally similar to normal corporate IT departments. Reports suggest that these hackers typically have regular working hours, indicating a structured and methodical approach to their tasks. This type of organization allows complex and long-term cyber operations to be carried out effectively.
Working environment and conditions
The work environment is often an office environment where teams work together and tackle tasks according to a set plan. These teams are often tasked with specific objectives, such as gathering intelligence from specific industry sectors or infiltrating specific target networks. The structure also supports the efficient distribution of resources and the coordination of attacks across different time zones and geographical locations.
Daily routine and breaks
As is common in many professional work environments, state-supported hackers also have regulated breaks and presumably observe weekends, unless there are specific operations that require continuous supervision or execution. This suggests that it is a well-organized activity that reflects the normal work rhythm in China.
Training and further education
State-backed hackers in China often receive extensive training and education to keep up with the latest technologies, security vulnerabilities and espionage techniques. This is an essential part of their job, as the cybersecurity landscape is rapidly evolving and requires constant adaptation and new learning.
The everyday life of state hackers in China is therefore less the cliché of the lonely hacker sitting in a dark room with a hood on his head and more that of a regular IT professional working in an office-like environment. This professionalization and organization makes it possible to carry out complex and targeted cyber attacks that can have both national and international impact. However, as with Volkswagen, for example, it also allows countermeasures to be better organized in terms of time.
State hackers at a glance
The most significant international actors include state actors from Russia, China and Iran. These countries use various tactics to promote their geopolitical interests and undermine the stability of European democracies.
In addition to the main actors named below, there are also other countries and non-state actors that attempt to influence elections in Europe. These include, for example, groups acting on behalf of governments or in their own interests to advance certain political agendas. These actors use a variety of methods, including cyberattacks, disinformation, economic pressure and diplomatic maneuvers to achieve their goals. The European Union and its Member States face the challenge of recognizing and countering these threats in order to protect the integrity of their democratic processes.
Russia
Russia is known for its extensive disinformation campaigns and cyberattacks aimed at weakening trust in democratic processes. Some of the best-known examples include influencing the 2016 US elections and attempts to influence the Brexit vote. Russian actors often use social media platforms to spread false information and deepen social divisions.
China
China is increasingly relying on cyberattacks and disinformation campaigns to expand its influence in Europe. Chinese hacker groups are known for conducting industrial espionage and stealing sensitive information that can then be used to influence political decisions. China is also trying to manipulate public opinion in Europe by spreading pro-Chinese narratives in the media.
Iran
Iranian actors also use disinformation campaigns and cyberattacks to pursue their geopolitical goals. These campaigns are often aimed at destabilizing the policies of the US and its allies in Europe. Iranian hacker groups use similar techniques to their Russian and Chinese counterparts.
North Korea
North Korea is another international actor trying to influence elections and political processes worldwide, including in Europe, through cyber activities. While North Korea is less of a focus compared to Russia, China and Iran, there is still significant activity emanating from North Korean actors. North Korea also uses disinformation to further its geopolitical goals and foment political unrest. While there are fewer documented cases of direct election interference by North Korea, the regime still uses cyber operations to exert political pressure and protect its interests, for example by publishing compromising information about political candidates or spreading propaganda.
STATE SECURITY AS A RISK
Effects of the Chinese Cybersecurity Law
In this context, it is worth mentioning again that China’s Cybersecurity Law, which came into force in June 2017, also has far-reaching implications for both domestic and international actors – and poses several potential threats, especially in the context of state-sponsored cyber operations.
The law stipulates that critical data must be stored within China. This particularly affects companies that are classified as operators of critical infrastructure. The need to store and process data within China can force foreign companies to make significant investments in local infrastructures and increases the risk that sensitive data will have to be made accessible to the Chinese authorities.
The Chinese government is given far-reaching powers to access this locally stored data and carry out network checks. This also includes the ability to require companies to provide technical support and assistance in investigations or to “secure cyberspace”. Critics fear that this could lead to surveillance and potential censorship, both for citizens and companies. According to concerns, security vulnerabilities that need to be reported could be passed on to state-tolerated hacker groups via the state, who then exploit them in a targeted manner.
Under the guise of national security, the law could be used to discriminate against foreign technologies. Companies operating in the Chinese market could be forced to subject their products and services to strict security checks by the Chinese government. This not only increases operational costs, but also allows government agencies to gain a deeper insight into the internal technologies and trade secrets of these companies.
The Cybersecurity Act may act as a trade barrier and has the potential to exacerbate international tensions. In particular, the US and the European Union have expressed concerns that the Act could be used as a means of protectionism, which could lead to retaliatory measures. In this context, compliance with the Cybersecurity Act can mean considerable financial and administrative burdens for companies. The need to adapt systems and processes to the new legal requirements, as well as the potential penalties for non-compliance, can result in considerable costs.
The Chinese Cybersecurity Law leaves many questions unanswered, which is likely to lead to uncertainty among companies. The unclear definitions of what is considered critical infrastructure and the broad discretionary powers of the government in applying the law may lead to inconsistent interpretation and application.
Ultimately, China’s cybersecurity law risks increasing government control over cyberspace, raising both privacy and security concerns for businesses and individuals. It also increases global concerns about the role of the state in private and corporate cyberspace activities, which in turn may lead to increased caution and potentially reduced investment in China.
Findings for companies in Germany and the EU
German companies, particularly SMEs, are often the focus of cyberattacks and espionage activities, especially from China. These activities can have a serious impact on their competitiveness, innovative strength and ultimately their economic security.
The threat of Chinese cyberattacks and espionage is a real and ongoing challenge for German SMEs. These companies need to take proactive measures to protect their critical data and systems to ensure their long-term security and competitiveness. A basic awareness of cyber security and regular training of employees is crucial to understand the basics of security and to recognize the most common attack vectors such as phishing and social engineering. In this context, it is also relevant that there will be a corresponding legal obligation in the near future.
Employees are often the first line of defense against cyberattacks: Therefore, implementing robust security policies and practices is essential. This includes regular software updates and patches, the use of strong authentication methods and the establishment of a secure IT infrastructure. Companies should also have a clear strategy in place in the event of a data leak or security incident. Effective monitoring systems can help to detect anomalies and suspicious activity at an early stage. Equally important is the ability to react quickly in order to minimize potential damage and quickly regain control of IT systems.
German companies need to be aware of the relevant data protection and security regulations at both national and EU level. The GDPR and the IT Security Act are just some of the regulations that must be observed to avoid legal consequences. Sharing information about threats and vulnerabilities with other companies and institutions can help to develop a broader understanding of the current threat situation. Industry associations and security networks can be valuable resources for smaller companies. Building partnerships with IT and security vendors can also help small and medium-sized businesses gain access to advanced security technologies and expertise that they may not be able to develop or afford on their own.
Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
- Liability of Companies in Phishing and CEO Fraud Incidents - 13. May 2025
- Domain Law in Germany - 10. May 2025
- Art Law in Germany - 10. May 2025