Suspected Chinese Cyber Operations Targeted U.S. and Belgian Government Networks
Suspected Chinese hackers were linked to multiple intrusions into Western government systems, including the exploitation of the SolarWinds software supply-chain compromise to access the U.S. National Finance Center, a payroll agency serving several federal departments, according to Reuters sources. In a separate case, Belgian prosecutors opened an investigation into an alleged breach of the country's intelligence service, with reports indicating Chinese state-linked actors may have accessed an external email server used for communications with public prosecutors, police, ministries, and other institutions.
The incidents add to a broader pattern of state-backed cyber espionage focused on sensitive government data and communications infrastructure. The U.S. case highlighted how attackers used a trusted software update channel to reach federal networks, while the Belgian probe underscored concerns that third-party systems connected to intelligence and law-enforcement bodies can become high-value entry points for foreign surveillance operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Russia escalates pressure on Telegram with encryption breach allegations
Russian authorities intensified their campaign against Telegram by alleging that foreign intelligence services could exploit weaknesses in the platform's encryption, claims the company rejected. The dispute added a cyber-security dimension to the broader pressure campaign against the messaging service and its founder.
Apple and Google issue new cyber threat alerts to users worldwide
Apple sent a fresh round of threat notifications to users in 84 countries, while Google also warned targeted users about suspected cyber activity. The alerts indicated continued global targeting of individuals with sophisticated spyware or related threats.
Belgian prosecutor opens probe into alleged hack of state security service
Belgium's federal prosecutor began investigating allegations that Chinese hackers breached the country's intelligence service. The probe signaled formal law-enforcement scrutiny of a suspected state-backed espionage incident.
Microsoft Exchange hack compromises over 20,000 U.S. organizations
Security experts said exploitation of Microsoft Exchange Server flaws had already compromised more than 20,000 U.S. organizations as mass hacking accelerated. The incident marked a major escalation in the impact of the Exchange vulnerabilities.
Suspected Chinese hackers used SolarWinds access to target U.S. payroll agency
Sources told Reuters that suspected Chinese hackers exploited a SolarWinds software flaw to spy on the U.S. National Finance Center, which handles payroll for multiple federal agencies. The report identified a separate espionage operation from the Russia-linked SolarWinds compromise.
Microsoft says malicious SolarWinds-linked software reached its systems
Microsoft disclosed that it had found malicious software in its environment as part of the broader SolarWinds breach investigation. The company said it found no evidence its production services or customer data were affected, but the announcement marked a major confirmation that a leading technology provider was also impacted.
Researchers disclose Spectre and Meltdown processor flaws
Major security flaws affecting chips used in most phones and computers were publicly disclosed, exposing systems to potential data theft across vendors and platforms. The revelations prompted emergency mitigation efforts by hardware and software companies.
Bithumb discloses hack affecting user accounts and funds
South Korean cryptocurrency exchange Bithumb reported that hackers stole customer data and funds, including losses tied to compromised user accounts. The incident was disclosed in early July 2017.
Ukrainian officials say global cyberattack masked malware deployment
During the June 2017 NotPetya outbreak, a Ukrainian police official said the worldwide cyberattack was likely intended to cover installation of malware in Ukraine. The statement reframed the incident as a targeted operation rather than ordinary ransomware.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Belgian prosecutor probes alleged Chinese hacking of intelligence service | Reuters
reuters.com
Open sourceMore than 20,000 U.S. organizations compromised through Microsoft flaw | Reuters
reuters.com
Open sourceMicrosoft says it found malicious software in its systems | Reuters
reuters.com
Open sourcePhilippines' RCBC sues 'vicious' Bangladesh Bank over heist claim | Reuters
reuters.com
Open sourceSecurity flaws put virtually all phones, computers at risk | Reuters
reuters.com
Open sourceGlobal cyber attack likely cover for malware installation in Ukraine: police official | Reuters
reuters.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Espionage Campaign Hit Telecoms, Cloud Email, and Manufacturers
China-linked hacking groups were reported to have penetrated a wide range of targets across the United States and allied regions, including manufacturers, U.S. government email systems, internet providers, and major telecommunications networks. Earlier reporting described broad economic espionage aimed at stealing trade secrets from manufacturing sectors in the U.S., Europe, and Asia, while later disclosures said Chinese operators breached U.S. government email accounts through Microsoft cloud infrastructure and infiltrated American internet providers for surveillance. Subsequent investigations tied the telecom intrusions to the **Salt Typhoon** campaign, which officials said exposed sensitive metadata and provided insight into U.S. surveillance targets. U.S. officials characterized the activity, alongside related operations such as **Volt Typhoon**, as one of the most serious cyber threats to American critical infrastructure in recent years. Reporting said investigators believed the attackers may have retained access to at least eight telecom firms, including **Verizon** and **AT&T**, and that the campaign extended to dozens of telecoms and government agencies. In response, the Biden administration moved to bar the remaining U.S. operations of **China Telecom Americas**, citing national security risks and signaling the first public retaliatory step tied to the telecom compromises, even as debate continued over broader sanctions, technology restrictions, and offensive cyber responses.
May 26, 2026
Reports Highlight China-Led Expansion of Offensive Cyber Operations and Targeting of Defense and Critical Infrastructure
Multiple reports and leaked documents indicate **China-linked cyber operations** are expanding in scale and sophistication, with a strong emphasis on targeting government, telecommunications, and other strategic sectors. A Forescout *Vedere Labs* analysis cited by Cybernews reported China as the top origin of threat operations last year (210), with Russia and Iran also major contributors; the reporting also highlighted suspected China-linked activity tied to a multi-year compromise of South Korea’s **Onnara System**, including theft of civil servants’ **GPKI certificates and credentials**, and noted Taiwan’s National Security Bureau reporting an average of **2.63 million attacks per day** last year. Separately, leaked technical materials reviewed by Recorded Future News describe a purported Chinese internal training environment—part of an integrated system called **“Expedition Cloud”**—used to rehearse offensive cyberattacks against replicas of neighboring countries’ real-world networks, including **power/energy transmission, transportation, and smart home infrastructure**. In parallel, a Google Threat Intelligence Group report warned of a “relentless barrage” of nation-state activity against the **U.S. defense industrial base**, describing a shift beyond classic espionage into **supply-chain attacks, workforce infiltration, and battlefield-adjacent operations**; Google attributed much of the activity to **Chinese, Russian, Iranian, and North Korean** actors and noted continued Russian targeting of organizations supporting Ukraine, including phishing, malware aimed at mobile battlefield-management apps, and attempts to access encrypted messaging platforms.
Mar 21, 2026
Chinese State-Backed Espionage Campaign Breached Global Service Providers and Customer Networks
Australia’s ACSC and CISA warned that Chinese state-sponsored actors compromised networks worldwide as part of a broad espionage operation that targeted IT service providers and then leveraged that access to reach downstream customer environments. U.S. government reporting tied the activity to Chinese cyber actors associated with the Ministry of State Security, describing a long-running campaign that stole intellectual property and sensitive data from organizations across at least 12 countries and sectors including information technology, energy, healthcare, communications, and critical manufacturing. The intrusions relied on stolen administrative credentials, abuse of digital certificates, and post-compromise tooling including **PowerShell**, **PowerSploit**, **REDLEAVES**, and **PLUGX** to maintain persistence and move laterally. Authorities said the malware used techniques such as **DLL side-loading**, in-memory execution, and **RC4**-encrypted command-and-control over port `443`, including spoofed domains masquerading as Windows update infrastructure, and urged defenders to strengthen privileged account protections, network segmentation, logging, and monitoring for suspicious administrative share activity and protocol mismatches.
May 27, 2026