China’s Cyber Espionage Surges 150%, Says CrowdStrike

There’s a clear message to business leaders in CrowdStrike’s comprehensive 2025 Global Threat Report: underestimate your adversaries at your own risk. 

They are becoming more efficient, focused and business-like in their approach to instigating malicious attacks by harnessing advanced technologies like AI and machine learning – which are being commercialised for cybercriminals as much as they are for the organisations they attack. 

In the case of Gen AI, for example, highly effective adversaries from all major categories (nation-state, eCrime and hacktivist) have become avid adopters, exploiting the impact of commonly used enterprise tools like chatbots. 

Among nation-states in particular, China–nexus activity has surged by 150% overall, says CrowdStrike – one of many rapidly growing threats that businesses must work hard to stay ahead of by reinforcing and fortifying their cybersecurity postures as we move through 2025. 

China's advance in cyber attacks

CrowdStrike exposes the growing aggression of China’s cyber operations. While China-nexus adversaries escalated state-sponsored attacks by 150%, the report finds that targeted attacks in financial services, media, manufacturing and the industrial sectors rose up to 300%.

The company’s research identified seven new advanced persistent threat (APT) groups linked to China in 2024, five of which were unique in their specialisation and sophistication. 

It says that “the emergence of adversaries with unique tactics, tradecraft and target scopes represents an ongoing shift in China-nexus intrusions from so-called smash-and-grab operations to increasingly focused and mission-specific intrusions”.

“China’s increasingly aggressive cyber espionage, combined with the rapid weaponisation of AI-powered deception, is forcing organisations to rethink their approach to security,” says Adam Meyers, head of counter adversary operations at CrowdStrike.

“Adversaries exploit identity gaps, leverage social engineering and move across domains undetected—rendering legacy defences ineffective. Stopping breaches requires a unified platform powered by real-time intelligence and threat hunting, correlating identity, cloud and endpoint activity to eliminate the blind spots where adversaries hide.”

Multi-faceted threat landscape

Several other threat types and areas of vulnerability within the enterprise dominate CrowdStrike's findings. Cloud environments, growing rapidly within organisations, are facing an increased number of attacks. 

In 2024, new and unattributed cloud intrusions increased 26% compared to 2023, demonstrating a growing appetite among hostile actors for exploiting cloud services. 

Successful attacks often begin by gaining internal access via valid accounts, leveraging cloud environment management tools to move laterally and exploit vulnerabilities. Valid account abuse accounted for 35% of cloud incidents in H1 2024. 

Cybercriminals also exploit misconfigurations, inadequate access controls and vulnerabilities within cloud infrastructures to gain unauthorised access to sensitive data and critical systems. 

A significant finding from the report is the rise in identity-based attacks. Adversaries are increasingly exploiting stolen credentials to gain initial access to systems, with 75% of attacks now being malware-free. Adversaries exploited compromised credentials to infiltrate systems as legitimate users, moving laterally undetected with hands-on keyboard activities.

This shift towards credential-based intrusions underscores the necessity for robust identity protection measures. Once inside, attackers can move laterally within networks, often evading traditional detection methods. The commodification of stolen identities has further exacerbated this issue, with a 20% increase in advertisements for valid credentials on underground forums. 

Also related to identity theft is a rise in impersonation tactics and AI-driven phishing, which fuelled a 442% increase in voice phishing in the first half of 2024. Here, says CrowdStrike, Sophisticated eCrime groups like CURLY SPIDER, CHATTY SPIDER and PLUMP SPIDER leveraged social engineering to steal credentials, establish remote sessions and evade detection.

Speed increases and the use of Gen AI

Concerningly for organisations, the pace at which attackers can exploit a network has increased significantly. 

The report highlights that breakout time – how long it takes for an adversary to start moving laterally within a network – reached an all-time low in 2025, falling to an average of 48 minutes. The quickest time observed was 51 seconds. 

Gen AI played a pivotal role in enabling many of these different attack vectors.

Among the most well-known was the creation of highly convincing fake IT job candidates to infiltrate large organisations by the Famous Chollima group, and the work of Chinese, Russian and Iranian affiliated attackers disrupting elections with AI-driven disinformation. 

In light of these developments, business leaders must adopt a proactive and comprehensive approach to cybersecurity. This includes implementing unified security platforms by deploying integrated security solutions that offer visibility across all environments.

Strengthening Identity and Access Management (IAM) is critical, particularly given the rise in identity-based attacks. Organisations should enforce multi-factor authentication (MFA), conduct regular audits of user privileges and continuously monitor for anomalous access patterns. 

Other core areas of focus into 2025 and beyond include investing in artificial intelligence-driven security technologies, enhancing employee training and awareness and developing and regularly updating incident response plans.

Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today.

Cyber Magazine is a BizClik brand