Sunday, May 28, 2023
HomeOpinion & AnalysisGuide to Chinese hacker groups

Guide to Chinese hacker groups

Chinese hackers pose a global threat

In recent years, China has become a major global player with regard to hacking campaigns and cyber espionage. The country’s technological sophistication and depth has resulted in the US determining that Chinese hacking poses a grave threat to national security and economic stability.

According to a statement from FBI Director Christopher Wray, China’s hacking program is larger than “that of every other major nation combined.”

While hacking activity from Russia and other countries have a hefty financial motivation, Chinese hackers are primarily interested in gathering sensitive information about nations that they deem to be adversarial to China’s interests.

Considering the country’s reputation for unscrupulous authoritarian control over its own citizens and its ever increasing appetite for global power and influence, it is no surprise that the Chinese Ministry of State Security regularly operates through front companies and universities via contracted hackers.

These state-sponsored campaigns often disguise their espionage efforts as ransomware attacks or run-of-the-mill data breaches.

Many hacker or ransomware gangs are quick to take credit for their breaches, with some even claiming responsibility for attacks they did not commit to garner respect from the cybercriminal community.

However, Chinese hackers appear to be almost entirely disinterested in the chest thumping and flag waving of their international peers. 

Hacks of Chinese origin are usually determined by investigative agencies and researchers, while the perpetrators themselves remain characteristically silent.

Chinese hackers vs. the United States

Hacking is not new to China. The country has a long history of carrying out messy attacks on government agencies, think tanks and companies based in rival nations.

In the early 2010s, China’s aggression plagued US business operations with rampant hacks that saw proprietary data stolen regularly.

While threats of sanctions against the country were floated, in 2015 an agreement was reached between Chinese President Xi Jinping and US President Barack Obama in which Xi agreed to no longer knowingly allow theft campaigns to continue. 

For a period of 18 months, Chinese hacking activity remained relatively low in the private sector. However, with the election of Donald Trump and his administration’s renewed adversarial tension regarding Chinese trade and diplomacy, the US found itself once again in the crosshairs.

Hacking has become a foundational strategic component of China’s military and foreign policy tactics.

Scattershot phishing campaigns and relatively low level data breaches remain in effect, but the majority of China’s intelligence gathering hacks have moved underground and are now executed by a highly capable network of decentralized groups tightly controlled by the Chinese government.

While news and information about hacker groups of Russian origin is easy to come by, China’s clandestine cyber campaigns make the perpetrators more difficult to determine and the tactics they use make them harder to track down.

Noteworthy Chinese hacker groups

Deep Panda

Deep Panda has been active for nearly a decade, regularly leveraging exploits and vulnerabilities to hack targets in government, healthcare, defense and more.

Most recently, Deep Panda has been using the Log4Shell vulnerability to continue to probe for sensitive information.

Deep Panda is believed to be responsible for successfully hacking United Airlines, the US Office of Personnel Management and health insurer Anthem.

Double Dragon

Active since at least 2012, Double Dragon (also known as Cicada) has been implicated in cyber espionage campaigns targeting 14 different countries using especially aggressive and sophisticated methods to exfiltrate data and conduct supply chain hacks.

Double Dragon is known to hack private companies in the telecom and travel industries in order to track the movements of individuals within foreign governments that they deem to be of interest.

They employ this same tactic to spy on those deemed to be dissidents within the Chinese government as well.

A resourceful and adept organization, Double Dragon also conducts financially motivated hacks in addition to their espionage campaigns. 


Hafnium is a Chinese hacking group that gained notoriety for their 2021 hack of Microsoft Exchange Server. The hack was felt the world over and resulted in a domino effect among organizations and companies that relied on Microsoft’s product.

The group has a reputation for targeting “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” according to a blog post from Microsoft that followed the attack.


APT41 (also known as Barium, BlackFly or Winnti) is a malicious Chinese state-sponsored hacking collective that recently undertook a major campaign dubbed Operation CuckooBees.

Operation CuckooBees siphoned trillions in intellectual property from around 30 companies in the manufacturing, pharma and energy sectors.

Those familiar with the theft said that the group stole everything from blueprints related to missiles and fighter jets to information about drugs used to treat obesity and diabetes. 

APT41’s ability to carefully infiltrate systems and surgically steal what they need to make sense of the proprietary data within makes them an especially prolific and damaging threat.

Hacker enterprises like APT41 allow China to skip the development phase of their own pharmaceuticals or defense technology and get right to production with their own versions using stolen blueprints.

This same intellectual property theft is also used to develop the counterfeit or “knock-off” consumer electronics and devices that are so prevalent in China.

Aoquin Dragon

Aoquin Dragon is a newly discovered Chinese hacker group.

However, the gang’s activities have been traced to as far back as 2013. As to be expected, they primarily deal in cyber espionage and data theft.

The group has remained largely shrouded in mystery for years, with researchers only putting the pieces together regarding its existence recently. 

To conceal their tracks, Aoquin Dragon hackers have constantly changed the techniques and tools they employ. They have been known to use three different infection chains to hack their targets.

It is almost certain that their uncovering will see the group once again switch gears and refresh their methods to hide their activity as they continue to spy on government, telecom and education organizations based in Hong Kong, Vietnam, Australia and more.

Derek Walborn
Derek Walborn
Derek Walborn is a freelance research-based technical writer. He has worked as a content QA analyst for AT&T and Pernod Ricard.

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You might also like

Stay Connected

Must Read

Related News