Chinese Cyber Espionage Jumps 150%, CrowdStrike Finds

High-profile campaigns like Volt Typhoon and Salt Typhoon made headlines in the past year, but they likely represent only a fraction of the extensive Chinese cyber espionage activity that has been unfolding in the shadows.

According to CrowdStrike’s 2025 Global Threat Report, released on February 27, 2025, a staggering 150% surge in Chinese-backed cyber espionage operations across the world was observed in 2024. Critical industries saw up to a 300% spike in targeted attacks.

The most targeted sectors were finance, media and manufacturing.

The cybersecurity provider identified seven new China-nexus adversaries in 2024 and claimed to have blocked over 330 cyber-intrusion attempts attributed to Chinese hacking groups.

Adam Meyers, Head of Counter-Adversary Operations at CrowdStrike, commented: “China’s increasingly aggressive cyber espionage, combined with the rapid weaponization of AI-powered deception, is forcing organizations to rethink their approach to security.”

Read more: Chinese-Backed Silver Fox Plants Backdoors in Healthcare Networks

CrowdStrike’s Observed Cyber Threat Trends in 2024

Other cyber threat trends observed by CrowdStrike include:

• Explosion of voice phishing (vishing) attacks, which rose 442% between the first and second half of 2024

• Surge in malware-free, identity-based attacks: 79% of intrusion detections in 2024 were malware-free, up from 75% in 2023 and just 40% in 2019. Additionally, CrowdStrike detected a 50% increase in access broker advertisements on the dark web in 2024 compared to 2023
• Growing reliance on vulnerability exploits, with 52% of vulnerabilities observed in 2024 related to initial access. Threat actors are also increasingly using chained vulnerability exploits to maximize their chances of success
• Cloud environments under siege: New and unattributed cloud intrusions increased by 26% in 2024 compared to 2023. Valid account abuse is the primary initial access tactic and accounted for 35% of cloud incidents in the first half of 2024
• North Korean hackers champion insider threat, 40% of the 304 cyber incidents operated by North Korea’s adversary Famous Chollima involved insider operations, such as the IT worker schemes
• Breakout time significantly reduced: the average time hackers moved from initial access to intrusion – commonly called the breakout time – for 2024 fell to 48 minutes, down from 62 minutes in 2023. The fastest breakout time CrowdStrike recorded in 2024 was just 51 seconds

Generative AI (GenAI) was used by cyber threat actors more than ever in 2024. While it was used mainly for supercharging social engineering across cybercriminals and nation-state actors, some groups, especially Iran-nexus actors, used GenAI for other purposes like vulnerability research and exploitation.

During a press briefing on February 25, CrowdStrike’s Meyers said: “We called this report ‘The Year of the Enterprising Adversary’ because we have seen threat actors have matured significantly. They have figured out new ways to gain access and not get caught by modern security tools.”

CrowdStrike’s Global Threat Report in Numbers

In this 13^th Global Threat Report, CrowdStrike tracked 257 tracked adversaries, with 26 new threat actors emerging over the past year.

It also detected over 140 activity clusters, representing identified malicious activity with unknown attribution.

“These are clusters for which we haven’t figured out exactly if they should be attributed to known or new adversaries or we don’t have a strong set of information yet,” Meyers added.

In 2024, CrowdStrike added two new countries of origin for nation-state threat actors. These were Egypt, with actors tracked as ‘Sphinx’, and Kazakhstan, with actors tracked as ‘Saiga.’

“Seeing more nations deploying cyber intrusions and cyber espionage operations is a significant concern,” Meyers concluded.