CrowdStrike's latest "Global Threat Report" has issued a warning that China is the primary nation-state threat, with a 150% increase in China-nexus activity observed across all sectors. This report, published Thursday, marks CrowdStrike's annual study dedicated to its research surrounding emerging threats -- and threat actors -- from the previous year.
Front and center this year was the People's Republic of China (PRC), whose cyberthreat capabilities remain top of mind for the U.S. infosec community following the compromise of multiple telecommunications providers by PRC-backed threat group Salt Typhoon last year. Moreover, Salt Typhoon's threat activity continues, with Recorded Future recently identifying a threat campaign targeting Cisco devices that was ongoing as recently as January.
CrowdStrike's report said Chinese nation-state capabilities reached an "inflection point" in 2024, and that the country's espionage activity continued to increase across almost every sector the security vendor tracked. Though the vendor observed a 150% increase in threat activity across all sectors from PRC-linked actors over 2023, the engineering, financial services, industrial, manufacturing and media sectors saw threat activity increases of 200% to 300%. "Even among the top three sectors China-nexus adversaries most commonly target -- government, technology, and telecommunications -- China-nexus activity increased 50% in 2024 compared to 2023," the report read.
CrowdStrike also observed China-nexus adversaries' increasing response to government, law enforcement and researcher disruption efforts by "redoubling their attempts to obfuscate operations," which includes the use of ORB networks. Adam Meyers, CrowdStrike's senior vice president of Counter Adversary Operations, said during a press call attended by Informa TechTarget this week that one of the most important and "terrifying" stories in this year's Global Threat Report was China's cyber capabilities reaching a point where the country is on par with other world powers.
"They've invested in these offensive capabilities, and they're up there now with the best of the best," he said. "And that is something that we need to take note of and be very careful about, because they're driven by political ambitions." Although China's broader espionage and influence goals remain in place, CrowdStrike's report called attention to PRC General Secretary Xi Jinping's calls in 2014 for China to become a "cyber power," the Chinese Communist Party's (CCP's) strategy of national rejuvenation, and other technology priorities outlined in the 14th Five-Year Plan for 2021 through 2025.
"Throughout 2024, China-nexus adversaries' advancements manifested through increasingly bold targeting, stealthier tactics, and specialized operations," the report read. "The underlying motivation is likely China's desire for regional influence in the nation's near abroad. This includes a desire for the eventual reunification of Taiwan, which may ultimately bring China into conflict with the United States."
Early last year, former FBI Director Christopher Wray and former CISA Director Jen Easterly warned that the Chinese nation-state threat group known as Volt Typhoon was targeting critical infrastructure for the "development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises." In other words, the threat group was laying the groundwork for future destructive attacks.
Similarly, Meyers said these pre-positioning activities are being used in preparation of hypothetical military action against Taiwan. "They have made it clear that they have the intention of unifying with Taiwan by military force, if necessary. And what we've seen is that in the last year or two [is] we've seen an increase in what has been characterized as pre-positioning, or what I would call operational preparation of the environment," he said.
CrowdStrike identified seven new China-nexus threat actors, with five previously unknown threat actor groups identified in 2024. The other two are believed to be variants of existing groups already tracked by CrowdStrike.
The report also highlighted an increase in breakout time, which is the time it takes for a threat actor to gain lateral movement once they've obtained initial access. The average breakout time dropped from 62 minutes in 2023 to 48 minutes in 2024, with the fastest breakout time in an attack last year being just 51 seconds.
"This decrease, CrowdStrike said, reinforces the need for real-time threat detection, identity and access controls, and proactive threat hunting to identify pre-attack behaviors. As threats continue to evolve at a rapid pace, organizations must stay vigilant and adapt their security measures to stay ahead of the threats."