Most malicious activity detections traced back to China


Cybersecurity company Trellix has detected a spike in malicious activity in recent months, with most of the detections linked to China and Russia. The researchers observed a noticeable increase in geopolitically motivated cyber threat operations.

During the period spanning from October 2023 to March 2024, cyber threats originating from China were responsible for 68.3% of detections at Trellix, and Russian ones had an 18.32% share. The rest of the attacks came from Iran, Pakistan, North Korea, Belarus, and other countries.

The uptick in malicious activity from China-associated threat actors was observed in November 2023, days before the meeting between US President Joe Biden and China’s leader Xi Jinping.

“China-linked threat groups remain the most prolific originator of APT activities, with Trellix observing more than 21 million detections of threat activities from China-aligned threat actor groups,” the report reads.

Almost a quarter (23%) of these detections are directed at the government sector worldwide, and 20% target the banking and financial sector.

A significant activity spike was observed from the China-backed Volt Typhoon group, which stood out because of its unique behavior patterns and targeting profiles.

However, the Russian-linked threat actor Sandworm takes the number one spot as the most active Advanced Persistent Threat (APT).

“The Sandworm team, historically known for its disruptive cyber operations, has seen a staggering increase in detections by 1669%,” researchers noted.

“This monumental rise suggests an unprecedented escalation in their cyber activities from the Russia-linked group.”

Conversely, groups linked to North Korea, Vietnam, and India have seen dramatic decreases in their activities. Researchers speculate that North Korean APT’s downturn is particularly notable, possibly indicating a shift in focus, strategy, or capabilities.

John Fokker, Head of Threat Intelligence at Trellix, describes the current state as a poly-crisis in which cybercriminal and threat actor activity is accelerating globally, and the cyber domain is affected by geopolitical events.

“Threat actors are looking to be more sophisticated, and they have access to cheap and free GenAI-based tools that empower them to become experts overnight,” Fokker warns.

In January, researchers discovered a free ChatGPT 4.0 Jabber tool available in the cybercriminal underground. Jabber allows criminals to adopt generative AI into their operations, create a knowledge base to learn from other cybercriminals, or even steal ideas and tools.

The US is the most targeted country, with almost half of detections registered there. Turkey generated 21.4% detections, followed by Hong Kong, India, Brazil, and other countries.