(part 2 of a 5 part series)

Part 1: So What is the Cyber Threat from China, Exactly?

Written by Francisco Costa Nunes and Joe Eduard Rucker


The Chinese Communist Party (CCP) utilizes its cyber capabilities to meet the shifting goals of its 5-Year Plans (FYPs). These activities in general can be grouped into two periods that coincide with themes found in the CCP’s corresponding FYPs. Between 2001 to 2010, the CCP primarily targeted government entities and facilities, with the goal of short-term espionage using a mix of network intrusions and infiltration. After the adoption of the CCP’s twelfth FYP in 2011, their focus shifted away from government entities and towards the private sector, with the goal of long-term espionage using primarily network intrusions. The specific private sectors that the CCP cyber operators have become increasingly active in are Academia, Communications, Information Technology, and Healthcare/Public Health.

The CCP’s FYPs provide critical insight into understanding which American industries and sectors China has a vested interest in attacking. The twelfth (2011-2015) introduces and highlights multiple key industries, primarily geared towards manufacturing, that China wants to develop and expand upon.[1] The thirteenth FYP introduces the “Made in China 2025” (MIC) strategic plan, which aims to modernize China’s industrial capabilities from a low-end manufacturer to a high-end producer.[2] With this goal in mind, the MIC initiative highlights 10 Key sectors:

  • New information technology
  • Advanced numerical control machine tools and robotics
  • Aerospace technology
  • Biopharmaceuticals
  • High-performance medical equipment
  • Electrical equipment
  • Agricultural equipment
  • Railway equipment
  • Energy-saving and new energy vehicles
  • Marine Engineering Equipment and High-Tech Ships

After the release of the MIC, the United States has experienced an increasing number of cyber operations in these sectors from Chinese Advanced Persistent Threat groups (APTs).

Advanced Persistent Threat (APT) Case Studies

After the twelfth FYP, the US saw a significant increase in cyber operations originating in China targeting the private sector. Many of these operations were, and are, conducted by APTs directly or indirectly supported by the CCP and target businesses based on the Strategic Emerging Industries outlines in the twelfth and thirteenth FYPs.

Unit 61398, also known as APT1, is a Chinese government sponsored ATP made famous by the Mandiant Report published in 2013. This APT targeted 115 companies headquartered in the US,[3] focusing on attacking private sector businesses, specifically information technology, aerospace and telecommunications, to facilitate the development of China’s Strategic Emerging Industries outlined in the twelfth FYP.[4] While this APT infiltrated networks starting in 2006, the quantity of infiltrations increased significantly in 2011, after the twelfth FYP was published. APT1 maintained access to its victims’ networks for months at a time, stealing many terabytes of data relating to the manufacturing processes, business plans and blueprints of the targeted businesses.[5]

First tracked in 2009, APT10 is another Chinese based APT which targets American corporations, focusing on data exfiltration inside construction, defense, telecommunications and government sectors. Like APT1, this APT targets industries to further China’s national security and industrial development goals.[6] APT10 is still active in 2022, having recently stolen business IP from Japanese and Western companies and targeted other non-American entities.[7]

APT41 is a Chinese APT that engages in state sponsored espionage. APT41 which has been active since 2012. Historically, they have attacked healthcare, telecom and high-tech sectors in 14 countries.[8] APT41 prolifically infiltrates US based governments and organizations. Between 2019 and 2022, APT41 infiltrated a large quantity of US and European high tech and manufacturing firms.[9]

These are a handful of the more than two dozen CCP sponsored APTs which have targetted American intellectual property. It is unlikely that the increasing number of Chinese government sponsored APTs will relent, especially given the unknown number of APTs currently infiltrating American networks.


The release of the CCP’s fourteenth (2021-2025) FYP continues to express the vision of a technologically advanced and self-reliant China. The CCP is establishing a number of national laboratories focusing on several advanced technologies like quantum information, micro and nano electronics, network communications, artificial intelligence (AI), biotech and pharmaceuticals, and modern energy systems. Alongside this, the CCP outlines a plan on building a “digital China” with 7 key industries; Cloud Computing, Big Data, Internet of Things (IoT), Industrial Internet, Block Chain, Artificial Intelligence (AI), and Virtual Reality and Augmented Reality (VR and AR).[10] From the previous trends of the last 20 years, the United States should expect an increasing number of Chinese cyber operations targeting these relevant sectors. It is safe to assume that the CCP will continue to primarily target the private sector and academia, with the goal of acquiring intellectual property that will benefit the above industries for themselves.

*The Dyadic Cyber Incident and Campaign Data (DCID) is a peer-reviewed data set which collects and categorizes cyber incidents between rival nation-states or other high frequency attack targets. Cyber incidents include both single cyber intrusions or attacks up to thousands of each to facilitate data collection. Version 2.0 of DCID, the most recent, categorizes the data based on the method used by attackers, the target type, the coercive action taken, the severity of the action and the damage type. https://drryanmaness.wixsite.com/cyberconflict/cyber-conflict-dataset

[1] https://kraneshares.com/resources/2013_10_kfyp_fan_gang_white_paper.pdf

[2] https://isdp.eu/content/uploads/2018/06/Made-in-China-Backgrounder.pdf

[3] https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf  pg 21

[4] Ibid pg 3

[5] Ibid 25

[6] https://www.mandiant.com/resources/insights/apt-groups

[7] https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/

[8] https://www.mandiant.com/resources/insights/apt-groups

[9] https://www.bleepingcomputer.com/news/security/hackers-stole-data-undetected-from-us-european-orgs-since-2019/

[10] https://cset.georgetown.edu/publication/china-14th-five-year-plan/