CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Chinese State-Sponsored Actors Target Global Critical Infrastructure

First reported
Last updated
5 unique sources, 14 articles

Summary

Hide ▲

Chinese state-sponsored APT actors have **dramatically escalated cyber operations against Taiwan**, with the National Security Bureau (NSB) reporting **960,620,609 intrusion attempts** in 2025—a **6% year-over-year increase** and **112.5% surge since 2023**. The **energy sector** faced a **tenfold spike in attacks**, while **emergency/hospital systems** saw a **54% rise**, including **ransomware deployments** that disrupted operations in at least **20 hospitals** and led to stolen medical data being sold on dark web forums. The campaigns, attributed to **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886**, leveraged **hardware/software vulnerabilities, DDoS, social engineering, and supply-chain compromises**, often combining tactics. Attacks correlated with **PLA military drills, political events, and visits by Taiwanese officials**, peaking in **May 2025** during President Lai Ching-te’s inauguration anniversary. Taiwan’s NSB is now collaborating with **30+ countries** on joint investigations, marking a significant expansion in international coordination against PRC cyber threats. Earlier phases of this campaign targeted **U.S. government agencies (CBO, Treasury, CFIUS)**, **European telecoms**, and global critical infrastructure via exploits in **Cisco, Ivanti, Palo Alto, and Citrix devices**. Advisories from **CISA, NSA, and allies** warn of a shift from espionage to **potential disruptive capabilities**, while **Operation "WrtHug"** hijacked **50,000+ ASUS routers** (predominantly in Taiwan) for persistent access. Despite vendor patches, **unpatched or end-of-life devices remain at risk** of compromise by Chinese APTs and follow-on threat actors.

Timeline

  1. 07.01.2026 00:27 2 articles · 1d ago

    Taiwan Reports Tenfold Surge in China-Linked Energy Sector Attacks

    Taiwan’s National Security Bureau (NSB) documented **960,620,609 cyber intrusion attempts** targeting critical infrastructure in 2025—a **6% year-over-year increase** and **112.5% surge since 2023**—with the **energy sector facing a tenfold spike** in attacks. The **emergency/hospital sector** saw a **54% rise**, including **ransomware deployments** that disrupted operations in **at least 20 hospitals** and led to stolen medical data being sold on dark web forums. The NSB attributed the campaigns to **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886**, which exploited **hardware/software vulnerabilities, DDoS, social engineering, and supply-chain attacks**, often in combination. Attacks correlated with **PLA joint combat readiness patrols**, **Taiwanese political events**, and **overseas visits by officials**, peaking in **May 2025** during the first anniversary of President Lai Ching-te’s inauguration. The report highlights **probing of industrial control systems (ICS)** and **telecom network equipment**, reinforcing patterns of **long-term access for potential disruption**.

    Show sources
    Open in new tab
  2. 19.11.2025 12:20 3 articles · 1mo ago

    China-Linked Operation "WrtHug" Hijacks ASUS Routers for Espionage

    Operation **"WrtHug"** has compromised **roughly 50,000 ASUS WRT routers** worldwide—predominantly in **Taiwan (50%+ of victims), Southeast Asia, Russia, Central Europe, and the U.S.**—with **no infections observed in China**, potentially indicating a China-nexus actor. The campaign exploits **seven vulnerabilities** (including **CVE-2023-39780**, **CVE-2025-2492**) in **end-of-life SOHO devices**, leveraging the **ASUS AiCloud service** to deploy **persistent SSH backdoors** that survive reboots. A **shared 100-year TLS certificate** (replacing ASUS’s standard 10-year certificate) was used as a unique IoC to track infections, with **seven IPs overlapping** with the prior *AyySSHush* botnet. SecurityScorecard assesses **low-to-moderate confidence** in Chinese APT attribution, citing tactical overlaps with **Operational Relay Box (ORB) campaigns** (*LapDogs*, *PolarEdge*). Targeted models include **4G-AC55U, GT-AC5300, RT-AC1300UHP**, and others. ASUS has released **security updates** addressing all exploited flaws, but **unpatched or unsupported devices remain vulnerable** to takeover by other actors.

    Show sources
    Open in new tab
  3. 07.11.2025 02:22 1 articles · 2mo ago

    Chinese APT Group Breaches U.S. Congressional Budget Office

    The U.S. Congressional Budget Office (CBO) confirmed a cybersecurity incident after a suspected foreign hacker—potentially linked to Chinese state-sponsored APT groups—breached its network. The intrusion, detected in early November 2025, may have exposed sensitive emails, draft reports, and internal communications between CBO analysts and congressional offices. The CBO contained the incident and deployed additional monitoring and security controls. This breach follows a pattern of targeted attacks on U.S. government agencies, including the **U.S. Treasury Department and CFIUS** in late 2024, both attributed to the Chinese APT group **Silk Typhoon**. The CBO, a nonpartisan agency providing economic analysis to Congress, represents a critical target for espionage or influence operations. The incident underscores the expanding scope of Chinese APT campaigns beyond traditional critical infrastructure to include legislative and economic policy institutions.

    Show sources
    Open in new tab
  4. 20.10.2025 15:15 1 articles · 2mo ago

    Salt Typhoon Exploits Citrix NetScaler Gateway Vulnerability in Global Cyber-Attack

    Salt Typhoon has exploited a Citrix NetScaler Gateway vulnerability in a recent cyber intrusion. The group has used DLL sideloading and zero-day exploits to infiltrate systems. The intrusion involved a European telecommunications organization, beginning in July 2025. The attackers deployed a backdoor identified as SNAPPYBEE (also known as Deed RAT) through DLL sideloading. The backdoor established communication with command-and-control (C2) servers using HTTP and unidentified TCP-based protocols. The C2 domain aar.gandhibludtric[.]com was previously associated with Salt Typhoon infrastructure.

    Show sources
    Open in new tab
  5. 24.09.2025 04:00 2 articles · 3mo ago

    RedNovember Targets Global Infrastructure Using Public Exploits

    RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

    Show sources
    Open in new tab
  6. 07.09.2025 17:09 3 articles · 4mo ago

    Czech Republic's NUKIB Issues High Risk Warning on Chinese Technology

    The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The warning includes consumer devices such as smartphones, IP cameras, electric cars, large language models, medical devices, and photovoltaic converters manufactured by Chinese firms as risky devices. All entities subject to the Czech Cybersecurity Act must adopt security measures to mitigate risks associated with Chinese technology.

    Show sources
    Open in new tab
  7. 04.09.2025 23:04 3 articles · 4mo ago

    Czech Republic Issues Advisory on PRC Data Theft

    The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued an advisory warning about data transfers to the People's Republic of China (PRC). The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China.

    Show sources
    Open in new tab
  8. 28.08.2025 17:04 4 articles · 4mo ago

    Salt Typhoon Exploits Edge Devices to Breach 600 Organizations

    The Salt Typhoon group has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The compromised devices are used to capture TACACS+ traffic for lateral movement and deeper network infiltration. The actors have enabled sshd_operns service on Cisco IOS XR devices to gain root access. The campaign is supported by an ecosystem of contractors, academics, and facilitators aiding in tool development and intrusion operations. The group has also exploited a Citrix NetScaler Gateway vulnerability in a recent cyber intrusion.

    Show sources
    Open in new tab
  9. 27.08.2025 15:00 9 articles · 4mo ago

    Joint Advisory on Chinese State-Sponsored Actors Targeting Global Infrastructure

    The advisory includes previously unknown insights into People's Republic of China (PRC) cyber operations, highlighting a critical shift from espionage to **potential disruptive capabilities**. It notes that APT actors may target devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, and others. **Update (2026-01-06):** Taiwan’s National Security Bureau (NSB) corroborates this trend, reporting a **tenfold increase in attacks on Taiwan’s energy sector** in 2025, with **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886** exploiting hardware/software vulnerabilities, DDoS, social engineering, and supply-chain attacks. The NSB’s findings align with prior advisories from **CISA, NSA, and allies**, underscoring the PRC’s expanding focus on **industrial control systems** and **long-term access for potential sabotage**.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

The China-linked threat actor PlushDaemon has been hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations since 2018. The group targets individuals and organizations in the U.S., China, Taiwan, Hong Kong, South Korea, New Zealand, and Cambodia, deploying custom malware like the SlowStepper backdoor. The attackers compromise routers via known vulnerabilities or weak passwords, install EdgeStepper to redirect update traffic, and deliver the LittleDaemon malware downloader. This leads to the deployment of the SlowStepper backdoor, which enables extensive system control and data theft. EdgeStepper is a Go-based network backdoor that redirects all DNS queries to a malicious hijacking node, facilitating adversary-in-the-middle (AitM) attacks. In May 2024, PlushDaemon targeted a South Korean VPN provider named IPany. The group uses an ELF file named bioset, internally called dns_cheat_v2, to forward DNS traffic to a malicious DNS node. They deploy two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor toolkit for cyber espionage operations.

Open in new tab

International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

Law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware as part of Operation Endgame 3.0. The action, which occurred between November 10 and 13, 2025, involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled infrastructure included hundreds of thousands of infected computers, with the main suspect behind Rhadamanthys having access to over 100,000 crypto wallets worth millions of euros. Victims were often unaware of their systems' infections. The latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar. Additionally, the Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service, which has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer.

Open in new tab

UK Introduces Cyber Security and Resilience Bill to Strengthen National Defenses

The UK government has introduced the Cyber Security and Resilience Bill, aiming to upgrade the 2018 NIS Regulations and bolster national cyber defenses. The bill proposes stricter security requirements for essential services, expanded incident reporting, and enhanced regulatory powers. It also includes new regulations for managed service providers and critical suppliers, with tougher penalties for serious offenses. The legislation follows multiple high-profile breaches and aims to address growing cyber threats, including those from AI and unsupported equipment. The bill aims to address annual damages of nearly £15 billion ($19.6 billion) from cyberattacks, with the average significant cyberattack costing over £190,000, totaling roughly £14.7 billion each year. The National Cyber Security Centre (NCSC) reported a 130% increase in "nationally significant" cyber incidents in 2025 compared to 2024. The Technology Secretary will have the authority to direct regulators and organizations to take actions when national security is threatened. Additionally, the UK has announced a new cybersecurity strategy backed by over £210 million ($283 million) to boost cyber defenses across government departments and the wider public sector. This includes establishing a dedicated Government Cyber Unit to coordinate risk management and incident response, setting minimum security standards, improving visibility of cyber risks, and requiring departments to maintain robust incident response capabilities. A new Software Security Ambassador Scheme will promote best practices, with major firms such as Cisco, Palo Alto Networks, Sage, NCC Group, and Santander joining as ambassadors. The UK has also announced plans to ban public-sector and critical infrastructure organizations from paying ransoms following ransomware attacks.

Open in new tab

China-Linked Threat Actor Targets U.S. Non-Profit with Legacy Exploits

A China-linked threat actor targeted a U.S. non-profit organization in April 2025, leveraging multiple legacy vulnerabilities to gain persistent access. The attackers used exploits like CVE-2022-26134, CVE-2021-44228, and others to establish a foothold, then employed scheduled tasks and legitimate binaries to maintain persistence and communicate with a command-and-control server. The activity aligns with broader Chinese espionage efforts against U.S. entities involved in policy issues.

Open in new tab