Among state-backed hacking groups active around the world, those based in China were found to be the most numerous. With such an overwhelming lead in the number of groups, China-origin cyber threats are hardening into a structural, long-term problem rather than a temporary phenomenon. The attacks are also becoming more advanced, moving beyond simple data theft to long-term infiltration of national critical networks, heightening vigilance among countries.
◇ China-origin hacking shifts from quantitative expansion to strategic threat
According to the 2025 Threat Roundup released recently by Vedere Labs under Forescout, global security corporations, as of last year, China had the most state-backed hacking groups active worldwide, with 210. That is about twice Russia's 112 and about four times Iran's 55. China, Russia, and Iran together accounted for 45% of the world's state-backed threat groups, with China alone ranking first.
These figures are not attack counts, but tallies based on the number of "unique actor groups" tracked by Forescout. The report said that over 2025, these threat groups targeted 178 countries worldwide, with government, finance, and telecommunications the most exposed industries. Both in the number of groups and in the breadth of activity, China's cyber capabilities are structurally expanding.
The intensity of China-origin cyberattacks is most starkly evident in neighboring Taiwan. In its report "2025 analysis of China's cyberhacking threats to Taiwan's critical infrastructure" released in Jan., the National Security Bureau (NSB) said that as of 2025, China-origin cyberattacks targeting Taiwan's government infrastructure averaged 2.63 million per day. That was a 113% increase from 2023, when the statistics began to be compiled, and up 6% from 2024.
The NSB said Chinese hacker groups are combining software and hardware vulnerability exploits, DDoS, social engineering, and supply chain attacks against Taiwan's government and critical infrastructure. It noted that especially since the second half of 2025, attack patterns have shifted away from simple data theft toward targeting national critical infrastructure (CI) such as energy, hospitals, and finance. Because the timing of heightened political and military tensions coincides with surges in attack intensity, analysts say cyberattacks are effectively being used as a means of pressure.
◇ Attacks combining stealth and AI spread… Korea also within range
The security industry cites "qualitative evolution" as the risk factor in China-origin hacking. Chinese-linked hacking groups are said to be strengthening a so-called "pre-positioning" strategy—eschewing short-term destruction or cash grabs in favor of hiding inside core systems such as power and communications networks so they can be used immediately in future conflicts or crises. The key is to maintain access by lying dormant for extended periods.
Automated attacks using artificial intelligence (AI) are rapidly being combined with this. According to Vedere Labs, AI is handling a significant portion of reconnaissance, vulnerability scanning, and data exfiltration, expanding both the speed and scale of attacks. The difficulty of detection and response is rising further as attackers pair the "living off the land" technique—abusing legitimate management tools already installed on systems—with supply chain attacks mediated through widely used software.
Such long-term stealth attacks have also led to real damage in Korea. The Onnara System, the government workflow management platform for civil servants, was belatedly found to have been exposed to hacking for about three years, from Sept. 2022 to Jul. 2025. According to a National Intelligence Service investigation, hackers stole civil servants' Government Public Key Infrastructure (GPKI) certificates and passwords, disguised themselves as legitimate users, and accessed the government administrative network. While the attack's sponsor was not conclusively attributed to a specific country, records of translating Korean into Chinese and indications of attempted hacks in Taiwan were found, adding weight to the possibility of Chinese links. In another case in 2023, a hacker group believed to be Chinese illegally penetrated the national satellite communications network and attempted further infiltration into the government administrative network, which was detected.
The National Intelligence Service (NIS) has previously disclosed an internal analysis that, although North Korea accounted for the largest quantitative share of state-backed hacking targeting Korea from 2022 to 2024, the threat share attributable to China exceeds 20% when reclassified to reflect the severity of attack methods.
Professor Park Chun-sik of Ajou University's Department of Cybersecurity said, "State-on-state cyberattacks have already become a major means of modern warfare, but due to diplomatic issues, most countries do not reveal their offensive capabilities openly and are conducting both offense and defense," adding, "Unlike nuclear weapons, cyberattacks lie in a realm where there is virtually no international treaty or binding force to control or limit them." Park continued, "In such a structure, countries have no choice but to build cyber capabilities that include both offense and defense," and emphasized, "Korea must systematically accumulate national-level cyberwarfare response capabilities while raising private-sector defensive capacity."