Cyber Threat Actor: Chinese Military

The threat actor known as Chinese Military and Chinese State-Sponsored Actors operates from China, engaging in both physical and cyber operations aligned with state interests. This actor has targeted aviation safety systems and governmental networks across multiple continents. In March 2023, vessels purportedly affiliated with this group disrupted Qantas aircraft navigation and communication systems over the western Pacific and South China Sea, employing GNSS jamming and VHF interference that risked flight operations. The actor also conducts cyberespionage against entities involved in trade negotiations and infrastructure projects tied to China’s Belt and Road Initiative (BRI), as evidenced by the 2018 network reconnaissance campaign against Alaska’s government and natural resources agencies during high-level gas pipeline discussions. Additional targets included Kenyan, Mongolian, and Brazilian organizations during periods of economic dialogue, reflecting a pattern of aligning operations with China’s strategic investments.

This threat actor leverages electronic warfare capabilities for disruption and deploys custom malware like "ext4," a Linux backdoor observed in attacks against Tibetan networks. The "ext4" malware employed sophisticated evasion techniques, including timed activation windows and TCP header manipulation, to maintain persistence on compromised CentOS servers. Network reconnaissance from Tsinghua University IP addresses—linked to state research programs and PLA partnerships—formed the basis of campaigns targeting BRI-associated countries. Publicly documented incidents confirm the actor’s state sponsorship, with infrastructure tied to Chinese academic institutions and military collaborations. Operations consistently demonstrate objectives to gather economic intelligence, influence geopolitical outcomes, and monitor perceived domestic threats, as seen in the simultaneous targeting of Tibetan groups and international trade partners.