CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Chinese State-Sponsored Actors Target Global Critical Infrastructure

First reported
Last updated
5 unique sources, 16 articles

Summary

Hide ▲

Chinese state-sponsored APT actors have **dramatically escalated cyber operations against Taiwan and expanded into Southeast Asia**, with Taiwan’s National Security Bureau (NSB) reporting **960,620,609 intrusion attempts** in 2025—a **6% year-over-year increase** and **112.5% surge since 2023**. The **energy sector** faced a **tenfold spike in attacks**, while **emergency/hospital systems** saw a **54% rise**, including **ransomware deployments** disrupting operations in at least **20 hospitals** and stolen medical data sold on dark web forums. In **February 2026**, Singapore’s Cyber Security Agency (CSA) confirmed that **UNC3886**—a China-nexus APT group—executed a **deliberate cyber espionage campaign** against all four of Singapore’s major telecommunications operators (**M1, SIMBA Telecom, Singtel, StarHub**). The actors **weaponized a zero-day exploit** to bypass perimeter defenses, deployed **rootkits for persistence**, and exfiltrated technical data, though no personal customer data was compromised. Singapore’s **Operation CYBER GUARDIAN** successfully disrupted UNC3886’s access, engaged **over 100 investigators from six agencies**, and expanded monitoring to **banking, transport, and healthcare sectors** to prevent lateral movement. This campaign underscores the PRC’s **growing focus on Southeast Asian critical infrastructure** alongside its long-standing operations in Taiwan and North America. The campaigns, attributed to **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886**, leverage **hardware/software vulnerabilities, DDoS, social engineering, and supply-chain compromises**, often correlating with **PLA military drills, political events, and visits by Taiwanese officials**. Taiwan’s NSB is now collaborating with **30+ countries** on joint investigations, while advisories from **CISA, NSA, and allies** warn of a shift from espionage to **potential disruptive capabilities**. Earlier phases targeted **U.S. government agencies (CBO, Treasury, CFIUS)**, **European telecoms**, and global critical infrastructure via exploits in **Cisco, Ivanti, Palo Alto, and Citrix devices**.

Timeline

  1. 09.02.2026 19:01 2 articles · 5h ago

    UNC3886 Targets Singapore’s Telecom Sector with Zero-Day Exploits

    In February 2026, Singapore’s Cyber Security Agency (CSA) revealed that the China-nexus APT group **UNC3886** conducted a **targeted cyber espionage campaign** against all four of Singapore’s major telecommunications operators: **M1, SIMBA Telecom, Singtel, and StarHub**. The threat actors **weaponized a zero-day exploit** to bypass a perimeter firewall and exfiltrate a small amount of technical data, while deploying **rootkits** to establish persistent access and evade detection. No personal customer data or internet services were disrupted. The CSA executed a **counter-operation named CYBER GUARDIAN**, closing off UNC3886’s access points and expanding monitoring capabilities across the targeted telcos. This response involved **over 100 investigators from six government agencies** and extended monitoring to **banking, transport, and healthcare sectors** to prevent lateral movement. Singapore’s Minister for Digital Development and Information, **Josephine Teo**, emphasized that the **limited impact** of the attack reflects the effectiveness of proactive defenses rather than a reduction in threat. UNC3886’s campaign aligns with its broader pattern of exploiting **edge devices and virtualization technologies** (e.g., VMware ESXi, vCenter) for long-term espionage, as previously documented under the alias **Fire Ant**. The group has historically leveraged zero-days in **FortiGate firewalls (CVE-2022-41328), VMware ESXi (CVE-2023-20867), and VMware vCenter Server (CVE-2023-34048)**.

    Show sources
    Open in new tab
  2. 07.01.2026 00:27 2 articles · 1mo ago

    Taiwan Reports Tenfold Surge in China-Linked Energy Sector Attacks

    Taiwan’s National Security Bureau (NSB) documented **960,620,609 cyber intrusion attempts** targeting critical infrastructure in 2025—a **6% year-over-year increase** and **112.5% surge since 2023**—with the **energy sector facing a tenfold spike** in attacks. The **emergency/hospital sector** saw a **54% rise**, including **ransomware deployments** that disrupted operations in **at least 20 hospitals** and led to stolen medical data being sold on dark web forums. The NSB attributed the campaigns to **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886**, which exploited **hardware/software vulnerabilities, DDoS, social engineering, and supply-chain attacks**, often in combination. Attacks correlated with **PLA joint combat readiness patrols**, **Taiwanese political events**, and **overseas visits by officials**, peaking in **May 2025** during the first anniversary of President Lai Ching-te’s inauguration. The report highlights **probing of industrial control systems (ICS)** and **telecom network equipment**, reinforcing patterns of **long-term access for potential disruption**.

    Show sources
    Open in new tab
  3. 19.11.2025 12:20 3 articles · 2mo ago

    China-Linked Operation "WrtHug" Hijacks ASUS Routers for Espionage

    Operation **"WrtHug"** has compromised **roughly 50,000 ASUS WRT routers** worldwide—predominantly in **Taiwan (50%+ of victims), Southeast Asia, Russia, Central Europe, and the U.S.**—with **no infections observed in China**, potentially indicating a China-nexus actor. The campaign exploits **seven vulnerabilities** (including **CVE-2023-39780**, **CVE-2025-2492**) in **end-of-life SOHO devices**, leveraging the **ASUS AiCloud service** to deploy **persistent SSH backdoors** that survive reboots. A **shared 100-year TLS certificate** (replacing ASUS’s standard 10-year certificate) was used as a unique IoC to track infections, with **seven IPs overlapping** with the prior *AyySSHush* botnet. SecurityScorecard assesses **low-to-moderate confidence** in Chinese APT attribution, citing tactical overlaps with **Operational Relay Box (ORB) campaigns** (*LapDogs*, *PolarEdge*). Targeted models include **4G-AC55U, GT-AC5300, RT-AC1300UHP**, and others. ASUS has released **security updates** addressing all exploited flaws, but **unpatched or unsupported devices remain vulnerable** to takeover by other actors.

    Show sources
    Open in new tab
  4. 07.11.2025 02:22 1 articles · 3mo ago

    Chinese APT Group Breaches U.S. Congressional Budget Office

    The U.S. Congressional Budget Office (CBO) confirmed a cybersecurity incident after a suspected foreign hacker—potentially linked to Chinese state-sponsored APT groups—breached its network. The intrusion, detected in early November 2025, may have exposed sensitive emails, draft reports, and internal communications between CBO analysts and congressional offices. The CBO contained the incident and deployed additional monitoring and security controls. This breach follows a pattern of targeted attacks on U.S. government agencies, including the **U.S. Treasury Department and CFIUS** in late 2024, both attributed to the Chinese APT group **Silk Typhoon**. The CBO, a nonpartisan agency providing economic analysis to Congress, represents a critical target for espionage or influence operations. The incident underscores the expanding scope of Chinese APT campaigns beyond traditional critical infrastructure to include legislative and economic policy institutions.

    Show sources
    Open in new tab
  5. 20.10.2025 15:15 1 articles · 3mo ago

    Salt Typhoon Exploits Citrix NetScaler Gateway Vulnerability in Global Cyber-Attack

    Salt Typhoon has exploited a Citrix NetScaler Gateway vulnerability in a recent cyber intrusion. The group has used DLL sideloading and zero-day exploits to infiltrate systems. The intrusion involved a European telecommunications organization, beginning in July 2025. The attackers deployed a backdoor identified as SNAPPYBEE (also known as Deed RAT) through DLL sideloading. The backdoor established communication with command-and-control (C2) servers using HTTP and unidentified TCP-based protocols. The C2 domain aar.gandhibludtric[.]com was previously associated with Salt Typhoon infrastructure.

    Show sources
    Open in new tab
  6. 24.09.2025 04:00 2 articles · 4mo ago

    RedNovember Targets Global Infrastructure Using Public Exploits

    RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

    Show sources
    Open in new tab
  7. 07.09.2025 17:09 3 articles · 5mo ago

    Czech Republic's NUKIB Issues High Risk Warning on Chinese Technology

    The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The warning includes consumer devices such as smartphones, IP cameras, electric cars, large language models, medical devices, and photovoltaic converters manufactured by Chinese firms as risky devices. All entities subject to the Czech Cybersecurity Act must adopt security measures to mitigate risks associated with Chinese technology.

    Show sources
    Open in new tab
  8. 04.09.2025 23:04 3 articles · 5mo ago

    Czech Republic Issues Advisory on PRC Data Theft

    The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued an advisory warning about data transfers to the People's Republic of China (PRC). The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China.

    Show sources
    Open in new tab
  9. 28.08.2025 17:04 4 articles · 5mo ago

    Salt Typhoon Exploits Edge Devices to Breach 600 Organizations

    The Salt Typhoon group has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The compromised devices are used to capture TACACS+ traffic for lateral movement and deeper network infiltration. The actors have enabled sshd_operns service on Cisco IOS XR devices to gain root access. The campaign is supported by an ecosystem of contractors, academics, and facilitators aiding in tool development and intrusion operations. The group has also exploited a Citrix NetScaler Gateway vulnerability in a recent cyber intrusion.

    Show sources
    Open in new tab
  10. 27.08.2025 15:00 10 articles · 5mo ago

    Joint Advisory on Chinese State-Sponsored Actors Targeting Global Infrastructure

    The advisory includes previously unknown insights into People's Republic of China (PRC) cyber operations, highlighting a critical shift from espionage to **potential disruptive capabilities**. It notes that APT actors may target devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, and others. **Update (2026-01-06):** Taiwan’s National Security Bureau (NSB) corroborates this trend, reporting a **tenfold increase in attacks on Taiwan’s energy sector** in 2025, with **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886** exploiting hardware/software vulnerabilities, DDoS, social engineering, and supply-chain attacks. The NSB’s findings align with prior advisories from **CISA, NSA, and allies**, underscoring the PRC’s expanding focus on **industrial control systems** and **long-term access for potential sabotage**. **Update (2026-02-09):** Singapore’s Cyber Security Agency (CSA) disclosed that **UNC3886** launched a **targeted cyber espionage campaign** against all four of Singapore’s major telecommunications operators (**M1, SIMBA Telecom, Singtel, StarHub**), weaponizing a **zero-day exploit** to bypass perimeter defenses and deploying **rootkits** for persistence. The **CYBER GUARDIAN** operation successfully disrupted the actors’ access and expanded monitoring, reinforcing the advisory’s warnings about **China’s escalating focus on critical infrastructure**.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Asian State-Backed Group TGR-STA-1030 Targets 70 Government and Infrastructure Entities

A previously undocumented cyber espionage group, TGR-STA-1030, has compromised at least 70 government and critical infrastructure organizations across 37 countries over the past year. The group, assessed to be of Asian origin, leverages phishing emails and exploits N-day vulnerabilities to deploy malware and maintain long-term access for espionage purposes. Targets include national law enforcement, ministries of finance, and departments related to economic, trade, natural resources, and diplomatic functions. The group uses a variety of tools, including Cobalt Strike, Behinder, Godzilla, and a Linux kernel rootkit named ShadowGuard. The group conducted reconnaissance activity targeting government entities connected to 155 countries between November and December 2025 and showed increased interest in scanning entities across North, Central, and South America during the U.S. government shutdown in October 2025. The group also exploited at least 15 known vulnerabilities in SAP Solution Manager, Microsoft Exchange Server, D-Link, and Microsoft Windows.

Open in new tab

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

China-nexus threat actor UAT-7290 has been targeting telecommunications providers in South Asia and Southeastern Europe since at least 2022. The group conducts extensive reconnaissance before deploying malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. UAT-7290 also establishes Operational Relay Box (ORB) nodes, which other China-nexus actors may use, indicating a dual role in espionage and initial access provision. The group uses a mix of open-source malware, custom tooling, and 1-day vulnerabilities in edge networking products. Recent activity shows overlaps with RedLeaves, ShadowPad, and RedFoxtrot, suggesting a broader China-linked operation.

Open in new tab

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

Notepad++ Update Mechanism Exploited to Deliver Malicious Payloads

Notepad++ version 8.8.9 was released to address a security flaw in its WinGUp update tool that allowed attackers to push malicious executables instead of legitimate updates. Users reported incidents where the updater spawned a malicious AutoUpdater.exe that collected device information and exfiltrated it to a remote site. The flaw was mitigated by enforcing updates only from GitHub and later by requiring signature verification for all updates. Security researchers noted targeted attacks against organizations with interests in East Asia, where Notepad++ processes were used to gain initial access. The attack involved an infrastructure-level compromise at the hosting provider level, allowing malicious actors to intercept and redirect update traffic. The incident commenced in June 2025 and continued until December 2025, with the Notepad++ website later migrated to a new hosting provider. The attackers were likely Chinese state-sponsored threat actors, selectively redirecting update requests from certain users to malicious servers. The hosting provider for the update feature was compromised, enabling targeted traffic redirections. The attackers regained access using previously obtained internal service credentials. Notepad++ has since migrated all clients to a new hosting provider with stronger security and plans to enforce mandatory certificate signature verification in version 8.9.2. The compromise involved shared hosting infrastructure rather than a flaw in the software's code, with attackers gaining access at the hosting provider level to intercept and manipulate traffic bound for the Notepad++ update endpoint. Direct server access by the attackers ended on September 2, 2025, but credentials associated with internal services remained exposed until December 2, 2025, allowing continued traffic redirection. The hosting provider confirmed no additional customers were affected.

Open in new tab

Storm-0249 Adopts Advanced Tactics for Ransomware Attacks

Storm-0249, previously known as an initial access broker, has escalated its operations by employing advanced tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks. These methods allow the threat actor to bypass defenses, infiltrate networks, maintain persistence, and operate undetected. The group has shifted from mass phishing campaigns to more precise attacks, leveraging the trust associated with signed processes for added stealth. The ultimate goal is to obtain persistent access to enterprise networks and monetize them by selling access to ransomware gangs.

Open in new tab