New Chinese Hacking Campaign Targets Manufacturing Firms to Steal IP

Check Point is set to reveal a new Chinese cyber campaign targeting suppliers of manufacturers in “sensitive” domains in the US and across the globe.

In an exclusive interview with Infosecurity at the firm’s CPX 2025 conference, Lotem Finkelsteen, Check Point’s Director of Threat Intelligence & Research, said his team was working on a new investigation into a Chinese hacking group.

Finkelsteen confirmed his team had observed the threat group actively infiltrating the networks of firms that supply components for the manufacturing industry, including in “sensitive” domains, and many other sectors.

These primary targets include suppliers of chemical products and physical infrastructure components like pipes. Some are Check Point’s customers. Check Point plans to release a full report on the campaign in the next few weeks.

“These companies did not explicitly need to be better protected than they are and couldn’t expect to be targeted by nation-state actors as powerful as this one,” Finkelsteen said.

“You don’t always know what makes you a target, so you need to review your customers, vendors and partners. Organizations must see themselves in the bigger picture, with neighboring companies that may be a target,” he added.

Finkelsteen said the Check Point research team believes the intention of the campaign is intellectual property theft, with the threat actor trying to better understand the supply chain of the targeted industry.

Chinese Threat Actors Deploy Aggressive Tactics

In this newly observed campaign, the threat actor typically gains access to the suppliers’ edge devices. Notably by exploiting one-days, software or hardware vulnerabilities that have only recently been publicly disclosed and for which users may not have applied any patches.

Targeted edge devices include operational relay boxes (ORBs), which are often either virtual private server (VPS) hosts or poorly secured Internet of Things (IoT) devices (e.g. routers) that intelligence services have traditionally used to infiltrate networks.

Targeting ORB devices has recently been a typical cyber espionage tactic deployed by Chinese-sponsored hackers.

“We identified the intrusion tactics used by the threat actor. Some were new, but others aligned with Chinese nation-state groups, which led us to attribute the campaign to a known threat actor in China,” Finkelsteen explained.

At the time of writing, the threat intelligence analyst did not name the specific actor.

“Over the past two years, it has become clear that many Chinese hacking groups have been increasingly sharing tools and techniques, making it more difficult to accurately attribute cyber-attacks,” Finkelsteen continued.

The approach shows similarities with the Volt Typhoon cyber espionage campaigns that targeted critical infrastructure and telecommunications organizations in the US and elsewhere in 2023 and 2024. These campaigns allowed Volt Typhoon to infiltrate some US government agencies in 2024.

“The aggressiveness of Chinese threat actors is very evident right now. This campaign shows that being exposed does not stop them from taking action,” Finkelsteen said.

Check Point will attribute the campaign to a specific actor only if the firm’s assessment reaches medium confidence.

Read now: CISA Warns Critical Infrastructure Leaders of Volt Typhoon