Skip links

ICT Cyber-Desk Report: Chinese Hacker Groups

Executive Summary

Cyberspace is the newest theater of operations with China fighting for command. Chinese hacker groups have become professional, strategic, and operate with improved tactics. They once were considered very bold with little regard for operational security, but now they are strategically controlled. In general, hackers have various motivations, but the majority of Chinese hackers are nationalistic and are either working directly for, or on contract with, the Chinese government. Research findings strongly indicate the majority of Chinese hacker groups listed are connected to the Chinese Liberation Army (PLA), Strategic Support Force (SSF), Chinese intelligence, and/or on contract with the Chinese government. There is not one group on the list without ties or suspected ties to the Chinese government. As a researcher it was difficult to find details on many of the group’s leaders, group structures and forum activity but the use of overlapping resources and consistent target countries reveals a common main actor profile. It is also important to recognize these groups are most likely not completely separate entities. They either work together or stop using one group when the group is identified and move to a new alias. This means when a group is not active, it does not mean the actors are no longer active. Rather, the actors have moved under a different group and/or name. Therefore, it may be most productive in searching and targeting Chinese hacker groups to focus on individual actors and their links to the Chinese government. Target countries are consistently Western and Asian countries that are perceived as a threat politically and industrially to the Chinese government. The United States by far is the largest targeted country, being targeted by almost every group. Other western countries, as well as Taiwan and Japan, are also highly targeted. Primary targets are political and industrial with the strongest focus on intellectual property. Within the intellectual property targeted, the primary target is defence technology and then other high-tech sectors.


In analysing the list of Chinese hacker groups, the list can be identified as Priority 1 GroupsPriority 2 Groups, and Priority 3 Groups.


Priority 1 Groups are groups one (APT1) and ten (APT12), which are connected, linked to the PLA and commit cyber-espionage. Its capabilities indicate a large group, focused primarily on targets of defence technology, including the Israeli Iron Dome system, United States, Taiwan, and Japan defence and high-tech sectors. Group two (APT3) is considered on of the most sophisticated Chinese hacker groups and is connected to China’s tech giant, Huawei. Group five (APT10) targets a broad range of countries and target industries, is suspected to be state funded, and conducts cyber-espionage. Groups eight (Elderwood Group) and nine (Hidden Lynx) are connected, target a broad range of industries including defence and multiple industrial sectors. It is known to be quiet in strategy and are suspected to be state funded. Groups eleven (DragonOK) and twelve (Moafee) are connected, suspected to be state funded, target a broad range of targets, especially the defence sector and politically on the South China Sea dispute. Group eighteen (APT27) is suspected to be state funded, highly sophisticated and targets USA, Asian defence, and European drone technology. Groups twenty (APT18), twenty-one (APT18), and twenty-two (Shell Crew) are connected, suspected to be state funded and perform cyber-espionage. It targets a broad range of countries and target industries including defence, high tech, and biotechnology. It are also suspected of targeting Daesh in Iraq in 2014 to protect oil interest in the region. Group twenty-four (Winnti Umbrella) has been identified as Chinese intelligence with high confidence. It has been active over a long period and it’s main targets are political, including the USA, Tibet, Japan, and South Korea.


Priority 2 Groups are groups three (NCPH) which hacked the Pentagon several times in 2006, is known for its expertise in surveillance and is suspected to be PLA. However, there is no evidence of recent activity. Group thirteen (APT16) is suspected of being state funded, conducts cyber-espionage and targets Taiwan and Japan. Group fourteen (EvilPost), fifteen (Danti), and sixteen (SYCMONDR) are connected, are suspected of being state funded and targets are mainly industrial, with a focus on South and Central Asian countries. Group nineteen (APT17) targets the United States political and industrial targets including defence and technology.


Priority 3 Groups are group four (Honker Union of China) that has targets who are primarily political and focuses on the USA, Japan, Vietnam, and the Philippines. Group six (Bronze Butler) targets are Japan’s industrial sector and some political targets. It is linked to the Chinese government and may hire out to steal technology. Group seven (KeyBoy) is known to have medium level expertise and targets are political and industrial, with a focus on Tibet, Taiwan, the Philippines, and the West. Group seventeen (China Girl Security Team) has targeted the USA and has targets that include the White House and Google. This group hasn’t been linked to any recent activity. Group twenty three (APT30) is suspected of being state funded and has targeted SE Asian countries – members of ASEAN. Is not linked to recent activity.


The overall objective summarized from the data collected in this project is that Chinese hacker groups are mainly under the direction of the Chinese government. Their goals are to steal intellectual property, focusing primarily in defence and other emerging technology, in order to further develop Chinese industry and advance Chinese military, political, and technological status.


 This article is part of the RED-Alert project, funded by the European Union’s Horizon                                 2020 research and innovation Programme under grant agreement No 740688.

Click Here to view Article File