Full Report
CrowdStrike observed significant growth in China’s offensive cyber capabilities last year as more groups used sector-specific skills to target critical industries and technologies. The post It’s not just Salt Typhoon: All China-backed attack groups are showcasing specialized offensive skills appeared first on CyberScoop.
Analysis Summary
# Threat Actor: China-Linked Nation-State Actors (General Summary)
## Attribution & Identity
Attribution points to operations backed by the Chinese state ("China-backed nation-state actors"). The summary highlights several specific groups under this umbrella, including **Volt Typhoon** (also tracked as **Vanguard Panda**), **Operator Panda** (more commonly known as **Salt Typhoon**), **Liminal Panda**, and **Locksmith Panda**. The overall capability suggests decades of investment and highly trained, readily available technical talent.
## Activity Summary
Cyberattacks carried out by China-linked actors surged by a "terrifying" 150% across all sectors in 2024 compared to 2023. There is an increased sophistication, moving away from "smash-and-grab" intrusions toward pursuing "enduring and persistent access."
Specific groups were noted for specialized targeting:
* **Operator Panda (Salt Typhoon):** Linked to a spree of attacks on U.S. and global telecom providers, which reportedly began two years before discovery. This activity was observed as recently as January.
* Five of the seven new China-linked groups identified by CrowdStrike showed distinct specializations.
## Tactics, Techniques & Procedures
- **Specialized Offensive Skills:** Groups are using sector-specific skills to target unique technologies within those sectors.
- **Obfuscation:** Multiple groups established **Operational Relay Box (ORB) networks** (botnets of compromised edge devices) to route traffic and obfuscate operations.
- **Persistence:** A shift from short-term data theft to seeking enduring and persistent access.
- [MITRE ATT&CK IDs were not explicitly provided in the text.]
## Targeting
- **Sectors:** Significant increases were observed in:
* Financial Services
* Media
* Manufacturing
* Industrials and Engineering
* Telecom Networks (specifically targeted by Liminal Panda, Locksmith Panda, and Operator Panda)
* Critical Infrastructure (mentioned generally, especially concerning Volt Typhoon/Vanguard Panda, focusing on logistics networks).
- **Geography:** Global, with specific mention of attacks on U.S. and global telecom providers.
- **Victims:** U.S. and global telecom providers; critical infrastructure logistics networks.
## Tools & Infrastructure
- **Malware families used:** Not explicitly named, but the use of ORB networks is highlighted.
- **Infrastructure:** Established **Operational Relay Box (ORB) networks** consisting of compromised edge devices used for relaying traffic.
## Implications
China's offensive cyber capabilities are now considered "on par with other world powers." The increasing specialization and high volume of intrusions into critical infrastructure sectors (especially telecom and logistics) pose a significant, growing threat to global stability and critical services.
## Mitigations
The article mentions that groups are increasing efforts to stay undetected, implying a defense focus on detection and root cause analysis for persistent access. (The article does not list specific, proactive mitigation recommendations, but focuses on the observed threat capabilities.)