Reports Highlight China-Led Expansion of Offensive Cyber Operations and Targeting of Defense and Critical Infrastructure
Multiple reports and leaked documents indicate China-linked cyber operations are expanding in scale and sophistication, with a strong emphasis on targeting government, telecommunications, and other strategic sectors. A Forescout Vedere Labs analysis cited by Cybernews reported China as the top origin of threat operations last year (210), with Russia and Iran also major contributors; the reporting also highlighted suspected China-linked activity tied to a multi-year compromise of South Korea’s Onnara System, including theft of civil servants’ GPKI certificates and credentials, and noted Taiwan’s National Security Bureau reporting an average of 2.63 million attacks per day last year.
Separately, leaked technical materials reviewed by Recorded Future News describe a purported Chinese internal training environment—part of an integrated system called “Expedition Cloud”—used to rehearse offensive cyberattacks against replicas of neighboring countries’ real-world networks, including power/energy transmission, transportation, and smart home infrastructure. In parallel, a Google Threat Intelligence Group report warned of a “relentless barrage” of nation-state activity against the U.S. defense industrial base, describing a shift beyond classic espionage into supply-chain attacks, workforce infiltration, and battlefield-adjacent operations; Google attributed much of the activity to Chinese, Russian, Iranian, and North Korean actors and noted continued Russian targeting of organizations supporting Ukraine, including phishing, malware aimed at mobile battlefield-management apps, and attempts to access encrypted messaging platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Reporting highlights UNC6508's INFINITERED espionage technique
Follow-on coverage of Google's analysis described China-nexus group UNC6508 using INFINITERED malware for long-term espionage by persisting in REDCap application files and abusing email forwarding rules for stealthy exfiltration. The reporting underscored the growing use of edge-device exploitation and insider-style access against defense-related targets.
Google warns of relentless cyber campaign against U.S. defense industry
Google Threat Intelligence Group published a report warning that the U.S. defense industrial base faces a relentless, expanding cyber campaign involving espionage, supply-chain compromise, workforce infiltration, and battlefield-adjacent operations. The report identified China, Russia, Iran, and North Korea as major sources of activity, with Chinese-linked groups assessed as the most active by scale.
Leaked documents expose China's 'Expedition Cloud' attack rehearsal platform
Recorded Future News reported on leaked technical documents describing 'Expedition Cloud,' an alleged Chinese offensive cyber training platform used to rehearse attacks against replicas of critical infrastructure in neighboring countries. The materials, reportedly recovered from an unsecured FTP server, included source code, training information, and software assets tied to CyberPeace.
Taiwan reports 2.63 million daily cyberattacks on average in 2025
Taiwan's National Security Bureau said it recorded an average of 2.63 million cyberattacks per day in 2025, representing a 6% increase over 2024. The statistic was cited in reporting on heightened China-linked cyber pressure in the region.
Chinese actors intensify pre-positioning against South Korea and Taiwan
Forescout Vedere Labs reported escalated Chinese pre-positioning activity targeting South Korea and Taiwan during 2025. The activity was part of broader Chinese threat operations that outpaced other countries that year.
China-linked compromise of South Korea's Onnara System begins
China-linked actors were suspected of compromising South Korea's Onnara System in a campaign that lasted nearly three years. The intrusion allegedly resulted in the theft of civil servants' GPKI certificates and credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
GTIG Analysis Highlights Escalating Espionage and Supply Chain Risks Facing Defense Sector
cybersecuritynews.com
Open sourceReport: Most hacking groups originate from China | SC Media
scworld.com
Open sourceGoogle Warns of 'Relentless' Cyber Siege on Defense Industry
bankinfosecurity.com
Open sourceGoogle Warns of 'Relentless' Cyber Siege on Defense Industry
govinfosecurity.com
Open sourceLeaked technical documents show China rehearsing cyberattacks on neighbors’ critical infrastructure | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Warns of Escalating State-Backed Cyber-Espionage Targeting Europe’s Defense Industrial Base
Google’s Threat Intelligence Group reported an intensifying, state-backed cyber-espionage campaign against **Western defense companies**—particularly across Europe—describing a “constant, multi-vector siege” aimed at stealing sensitive R&D, disrupting production, and gaining insight into next-generation battlefield systems. The report highlights **drone manufacturers and advanced weapons developers** as priority targets, with **Russia-linked activity** emphasized in the context of the war in Ukraine and a focus on unmanned aircraft technologies and their suppliers. Google attributed one phishing campaign to **UNC5976**, which used **malicious Remote Desktop Protocol (RDP) files** and **spoofed domains** impersonating defense firms across multiple countries. Google assessed that multiple state actors—**Russia, Iran, China, and North Korea**—are leveraging a broad set of access paths, including exploitation of **hiring processes**, **personal accounts**, and **remote work** environments, while smaller manufacturers and adjacent suppliers are also seeing **extortion attempts**, indicating widening supply-chain pressure. Separate reporting also described leaked documents indicating China has used a training platform (*Expedition Cloud*, developed by CyberPeace) to rehearse critical-infrastructure intrusions against neighboring countries by building network “templates” of targets and running reconnaissance-to-attack drills, underscoring the operational maturity and preparation that can translate into real-world campaigns against high-value sectors such as defense and critical infrastructure.
Mar 21, 2026
Geopolitical Cyber Operations Targeting Critical Infrastructure and Economic Systems
Reporting and commentary highlighted how **state-linked cyber activity** is being used for sustained pressure against critical infrastructure and economic targets rather than isolated, one-off attacks. Taiwan’s government and related reporting described **China-linked probing and “prepositioning”** against Taiwanese critical infrastructure as ongoing and scaling, consistent with reconnaissance and access maintenance objectives that could enable future disruption. Separately, an op-ed argued that U.S. signaling around the ability to “darken” parts of Caracas and reported disruptions affecting Venezuela’s state oil sector illustrate how cyber-enabled interference can function as a tool of state power **below the threshold of open conflict**. A longer-form retrospective on the Russia–Ukraine conflict framed the period as a “full-scale cyber war,” citing the **Kyivstar destructive attack** attributed to **Sandworm** as a landmark incident: attackers reportedly maintained access for months before wiping large portions of the operator’s environment, disrupting telecom and related services. The same piece described Ukraine’s broader incident volume growth and the use of multiple **wiper malware** families, alongside claims of Ukrainian retaliatory operations (e.g., DDoS activity against Russian banking), reinforcing the theme that critical infrastructure and national economic systems are central targets in modern geopolitical cyber campaigns. While one weekly “signals” post also mentioned patch/KEV dynamics and SaaS exposure as near-term risk amplifiers, its primary geopolitical takeaway aligned with the broader pattern of sustained state-linked activity against critical infrastructure.
Mar 21, 2026
Google GTIG Warns of Intensifying Nation-State Targeting of the Defense Industrial Base
Google’s Threat Intelligence Group (GTIG) reported sustained and expanding cyber operations against the **defense industrial base (DIB)** by state-linked and aligned actors from **China, Iran, North Korea, and Russia**, driven by battlefield technology demands and geopolitical conflict. Reported themes include targeting defense organizations supporting the Russia–Ukraine war, **social engineering and recruitment/hiring-process abuse** aimed at employees (notably attributed to North Korean and Iranian activity), increased reliance on **edge devices and appliances** for initial access by China-nexus groups, and heightened **supply-chain exposure** tied to compromises in adjacent manufacturing ecosystems. The reporting highlights specific tactics and actor activity, including Russia-linked **APT44 (Sandworm)** efforts to access data from **Telegram and Signal**, including use of a Windows batch script (`WAVESIGN`) to decrypt and exfiltrate data from Signal Desktop after likely obtaining physical access to devices in Ukraine. Additional activity described includes Ukraine-focused campaigns using defense-themed lures (e.g., drones and counter-drone systems) and broader nation-state use of **zero-day exploitation in edge devices** to establish footholds in defense contractors’ networks, reinforcing GTIG’s assessment that “pre-positioning” and continuous access-building are now baseline expectations for DIB organizations.
Mar 21, 2026