Cyber Threat Actor: Strategic Support Force of the People's Liberation Army
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
1 incident |
|---|
Profile
The Strategic Support Force of the People's Liberation Army, also known as the SSF or Strategic Support Force, is a Chinese state‑linked threat actor based in China. It is publicly attributed to the PLA’s cyber component and has been identified in open‑source reporting as responsible for espionage‑oriented operations. The actor’s known aliases reflect its organizational designation within the Chinese military structure. Its activities have been observed primarily against diplomatic and governmental institutions in Europe, with a notable case involving the Ministry of Foreign Affairs of Cyprus and the broader EU COREU network.
Targeting in that operation extended to United Nations agencies, financial ministries, trade unions, and policy think tanks, indicating a focus on entities that handle sensitive political and economic information. The strategic objective demonstrated in the reported campaign was espionage, as attackers sought to access confidential diplomatic correspondence and related communications. The group’s typical initial access vector relies on phishing messages designed to trick recipients into divulging credentials or executing malicious payloads. Researchers have described the operation as exploiting common vulnerabilities rather than employing sophisticated, custom‑built malware, underscoring a reliance on well‑known weaknesses. No specific malware families were referenced in the public account of this incident, and the tooling style appears centered on social engineering and the use of readily available exploit techniques.
Attribution to the SSF is supported by the public linkage to China’s People’s Liberation Army and the consistent alignment with state‑directed intelligence goals. The 2018 compromise of Cyprus’s foreign ministry and the subsequent intrusion into the EU’s diplomatic coordination system serves as a representative example of the actor’s modus operandi. This case illustrates how the SSF leverages phishing and common security gaps to gain access to high‑value, cross‑border information networks. The unit’s mandate includes integrating cyber capabilities with broader military intelligence efforts. Public reports have not linked the SSF to financially driven cybercrime.
