Cyber Threat Actor: Group 302

Group 302 is a threat actor that has been publicly linked to operations originating from China, as indicated in the source material describing the incident. The actor is known by the alias Group 302 in open‑source reporting and has not been referenced under any other name in the available documentation. Attribution to a state‑sponsored source from China has been made explicitly in the context of the Yahoo‑related breach discussed in the articles. No additional geographic bases, infrastructure details, or alternative aliases are documented in the provided sources. Consequently, the actor’s affiliation is understood to be with a Chinese governmental entity engaged in cyber operations.

Group 302’s observed activity focuses on compromising large‑scale online service platforms that hold extensive user data, as demonstrated by the targeting of a major internet company in the 2014 incident. The strategic objective behind these operations aligns with the espionage goals typically attributed to its state sponsor, reflecting a priority on gathering information rather than direct financial gain. The actor’s tradecraft includes the creation of forged authentication cookies using proprietary code that was stolen prior to the attack, a technique described in the forensic analysis. This method allowed the threat actor to bypass password‑based authentication and gain direct access to user accounts without triggering conventional login mechanisms. Investigators noted the absence of any persistent network presence or malware deployment associated with the actor after the initial compromise.

The most publicly cited operation involving Group 302 is the 2014 breach of a major internet company that exposed personal information for at least half a billion accounts, including names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions. In that incident, stolen authentication cookies were actively used to infiltrate accounts without triggering traditional login alerts, enabling unauthorized access at scale. The victim company responded by invalidating the compromised cookies and resetting related security credentials while coordinating with law enforcement to investigate the breach. The breach had downstream effects on the company’s valuation during acquisition negotiations, demonstrating the operational impact of the actor’s actions on business outcomes. This case remains the primary example used to characterize Group 302’s capabilities, targeting patterns, and the consequences of its state‑sponsored activity.