More hacking groups operate from China than from any other country, researchers say
Researchers found that hacking groups targeted 178 countries in 2025, with government, financial services, and telecommunications among the most affected sectors.
-
More hacking groups operate from China than from any other country, researchers say.
-
Taiwan under cyber siege – attacks on government systems more than doubled since 2023.
-
Shift to critical infrastructure – Chinese groups target energy, hospitals, finance, and telecoms.
-
Long-term “pre-positioning” strategy – hackers infiltrate systems for future use rather than immediate gain.
According to a recent threat intelligence report from Forescout’s Vedere Labs, approximately 210 hacking groups operate out of China, nearly double Russia's 112 and four times Iran's 55. In fact, when put together, these three countries collectively account for 45% of the world's threat actor groups.
An analysis of the report notes that China's cyber capabilities are structurally expanding, with attacks becoming increasingly more sophisticated, moving beyond simple data theft to long-term infiltration of national critical networks.
Taiwan faces an intensifying cyber siege
The impact of China-origin cyberattacks is most evident in neighboring Taiwan. According to Taiwan's National Security Bureau (NSB), such attacks targeting the island's government infrastructure averaged 2.63 million per day in 2025, which represents a 113% increase compared with 2023 and is 6% higher than in 2024.
Chinese hacker groups are combining software and hardware vulnerability exploits, distributed denial-of-service (DDoS) attacks, social engineering, and supply chain attacks against Taiwan's critical infrastructure.
Since the second half of 2025, attack patterns have shifted from simple data theft toward targeting national critical infrastructure, including energy grids, hospitals, and financial systems.
Similar patterns have emerged globally, with Chinese state-sponsored groups actively exploiting critical vulnerabilities in SharePoint servers and telecommunications infrastructure across multiple countries.
Evolution toward "pre-positioning" strategy
China-linked groups are strengthening what experts call a "pre-positioning" strategy by foregoing short-term destruction or financial gain in favor of hiding within core systems like power and communications networks for future use.
According to Chosun’s analysis, South Korea has experienced real damage from such long-term stealth attacks. The country’s Onnara System, the government workflow management platform for civil servants, was exposed to hacking for approximately three years from September 2022 to July 2025.
Hackers stole civil servants' Government Public Key Infrastructure (GPKI) certificates and passwords, disguised themselves as legitimate users, and accessed the government administrative network.
The article clarifies that while the attack's sponsor was not conclusively attributed, records of translating Korean into Chinese and indications of attempted hacks in Taiwan pointed to possible Chinese links.
South Korea's National Intelligence Service previously disclosed that while North Korea accounts for the largest quantitative share of state-backed hacking targeting the country, China's threat share exceeds 20% when reclassified by severity of attack methods.
The article cites Professor Park Chun-sik of Ajou University's Department of Cybersecurity, who emphasized that "state-on-state cyberattacks have already become a major means of modern warfare."
He adds that, unlike nuclear weapons, cyberattacks exist in a realm with virtually no international treaty or binding force to control them, leaving countries no choice but to build comprehensive cyber capabilities encompassing both offense and defense.
Unlock more exclusive Cybernews content on YouTube.
