Full Report
Mei Danowski & Eugenio Benincasa unpack how Chinese firms running attack-defense exercises fuel state-linked offensive cyber operations.
Analysis Summary
This summary focuses on the ecosystem of Chinese cybersecurity firms leveraging attack-defense exercises, rather than a single, named threat actor following traditional APT naming conventions. The identified entities are **firms alleged to support state-linked offensive operations.**
# Threat Actor: Chinese State-Linked Entities (via Private Sector Support Ecosystem)
## Attribution & Identity
The primary focus is on Chinese information security firms alleged to support state-linked offensive cyber operations. Key companies cited in recent US government actions include:
* **i-SOON**
* **Sichuan Silence**
* **Integrity Tech**
These firms are characterized as serving as a "key seedbed" for nurturing China’s offensive cyber talent, often associated with the People's Liberation Army (PLA) or Ministry of State Security (MSS).
## Activity Summary
The research analyzes how commercial cyber ranges and "attack-defense live-fire" (攻防实战) exercises conducted by these private firms directly contribute to, and enhance, China’s state-linked offensive cyber capabilities. This private sector development is seen as a primary mechanism, alongside hacking contests and bug bounty programs, used by the Chinese government to improve its operational skills.
## Tactics, Techniques & Procedures
The article focuses more on the *training methodologies* that enhance TTPs rather than listing specific malicious TTPs used by the *actors themselves*.
* **Training Mechanism:** Attack-defense live-fire exercises ("live-fire").
* **Skill Enhancement:** Improving offensive cyber talent and capabilities through realistic simulations hosted on sophisticated cyber ranges.
* *Note: No specific technical TTPs or MITRE ATT&CK IDs concerning exploitation or malware deployment during campaigns were mentioned in this summary context.*
## Targeting
* **Sectors:** US government systems and critical infrastructure systems.
* **Geography:** Primarily focused on targeting interests within the United States.
* **Victims:** US government entities and critical infrastructure organizations.
## Tools & Infrastructure
* The focus is on the *training infrastructure* (cyber ranges, attack-defense platforms) provided by the 120 identified companies rather than offensive malware.
* *Note: No specific offensive malware families or C2 infrastructure were mentioned.*
## Implications
The rapid growth and sophistication of the Chinese private cybersecurity industry (with over 4000 product/service providers) acting as a talent funnel and training simulator poses a significant, yet under-analyzed, threat to foreign cyber defenses. These exercises directly translate into enhanced state-linked offensive capabilities.
## Mitigations
The report implies a need for defense strategies that account for the advanced, constantly improving skill sets cultivated within these Chinese cyber training environments.
* **Focus Recognition:** Organizations must recognize the role of commercial entities operating in the geopolitical cyber space as indirect enablers of APTs.
* **Defensive Posture:** Increased scrutiny and defense preparation against TTPs likely derived from advanced, state-sponsored training scenarios.