China now operates an estimated 210 state-backed hacking organizations, the largest such apparatus in the world. The scale alone marks a decisive shift: cyber operations linked to the Chinese Communist Party (CCP) are no longer episodic or reactive, but structural, persistent, and designed for long-term strategic leverage. Taiwan has emerged as the primary target.
What distinguishes the current phase is not just volume, but intent. Chinese cyber operations have moved beyond data theft toward systematic penetration of national critical infrastructure, embedding access that can be activated during political or military crises. Governments across Asia—and increasingly worldwide—are being forced to confront a reality in which cyberwarfare is no longer a shadow activity but a permanent front.

China leads the world in state-sponsored cyber forces
According to the 2025 Threat Roundup published by Vedere Labs, the research division of cybersecurity firm Forescout, China accounts for the largest number of state-supported hacking groups globally. As of last year, analysts identified 210 distinct China-based cyber units, nearly twice the number attributed to Russia (112) and almost four times Iran’s total (55).
China, Russia, and Iran together account for approximately 45 percent of all known state-backed cyber threat actors worldwide, with China ranking decisively first.
These figures do not represent attack frequency, but rather the number of independent operational organizations tracked by researchers. In 2025 alone, these groups targeted networks in 178 countries, focusing primarily on government agencies, financial systems, and telecommunications infrastructure. By both organizational depth and operational reach, China’s cyber capability shows unmistakable signs of institutionalized expansion.

Success
You are now signed up for our newsletter
Success
Check your email to complete sign up
Taiwan bears the brunt of Beijing’s cyber pressure
Nowhere is this escalation more visible than in Taiwan.
In January, Taiwan’s National Security Bureau (NSB) released its 2025 Analysis of CCP Cyber Threats to National Critical Infrastructure, reporting that cyberattacks on Taiwanese government networks averaged 2.63 million attempts per day in 2025.
This represents a 113 percent increase since systematic tracking began in 2023, and a further six percent rise over 2024 levels.
The NSB reports that CCP-linked hacking groups routinely combine vulnerability exploitation, distributed denial-of-service (DDoS) attacks, social engineering, and supply-chain intrusions. Targets include not only central government systems but also energy networks, hospitals, financial institutions, and other pillars of civilian life.
Since the second half of 2025, the operational focus has shifted decisively. Cyber activity has moved away from isolated data theft toward long-term access to infrastructure that would be critical in a conflict scenario. Analysts note that surges in attack intensity often align with periods of heightened political or military tension, reinforcing the assessment that cyberattacks function as an instrument of coercion.

From espionage to pre-positioning for conflict
Cybersecurity specialists emphasize that the central danger lies in qualitative transformation, not merely numerical growth.
China-linked hacking groups have increasingly adopted a strategy known as “pre-positioning”—the deliberate placement of persistent, concealed access points within essential systems such as power grids, transportation networks, and communications infrastructure. Rather than seeking immediate disruption or profit, attackers aim to remain undetected for years, preserving the ability to act instantly during future crises.
Artificial intelligence has become integral to this approach. Vedere Labs reports that AI-driven automation now performs much of the reconnaissance, vulnerability scanning, and data exfiltration associated with Chinese cyber operations, dramatically expanding speed and scale.
These attacks frequently rely on “living off the land” techniques, which use legitimate system tools to evade detection, as well as supply-chain compromises delivered through widely used commercial software. Together, these methods significantly degrade defenders’ ability to identify and contain intrusions.

South Korea’s silent breach reveals the cost of stealth attacks
South Korea has already experienced the consequences of this strategy.
The government workflow management platform Onnara, used by South Korean civil servants, was later found to have been compromised continuously from September 2022 to July 2025—nearly three years without detection. According to South Korea’s National Intelligence Service (NIS), attackers stole Government Public Key Infrastructure (GPKI) credentials and passwords, enabling them to impersonate legitimate officials and access administrative networks.
Although investigators have not formally named the sponsoring state, forensic evidence included records of Korean-language materials being translated into Chinese, as well as attempts to penetrate Taiwanese networks. These indicators significantly raise the likelihood of CCP involvement.
In a separate 2023 incident, a hacking group widely believed to be linked to China infiltrated a national satellite communications network and attempted to move deeper into government systems. The breach was detected in time to prevent further damage.
The NIS has disclosed that while North Korea accounted for the largest share of state-backed cyber incidents against South Korea between 2022 and 2024 by raw numbers, when attacks are categorized by severity and sophistication, threats linked to China exceed 20 percent.

Cyberwar without treaties or restraint
Park Chun-sik, a professor of cybersecurity at Ajou University, describes cyber conflict as a defining feature of modern warfare.
“Cyberattacks between states are now routine,” Park said. “But unlike nuclear weapons, cyber capabilities are not constrained by binding international treaties or enforcement mechanisms.”
Because of diplomatic considerations, he noted, most governments avoid publicly acknowledging their offensive cyber programs, even as they simultaneously develop both attack and defense capabilities.
“In this environment,” Park said, “states have no real alternative. They must build integrated cyber forces capable of both defense and retaliation. For South Korea, that means strengthening civilian protections while systematically developing national-level cyberwarfare response capacity.”