![Infographic showing the number of cyber threat actors by country of origin in 2025, led by China (210), Russia (112) and Iran (55), according to Forescout's 2025 Threat Roundup. [Wu Qiaoxi/Focus]](/gc9/images/2026/02/19/54685-1-370_237.webp)
By Wu Qiaoxi |
Amid a surge in global hacking activity, China leads in the number of state-backed cyber groups, with 210 identified entities, according to a new study.
In an article published in early February, Chosun Biz, affiliated with South Korea's Chosun Ilbo, cited recent cybersecurity research as showing that China-origin cyber threats are evolving into a long-term structural challenge. The activity has shifted into sustained penetration of national critical networks, with potential wartime implications.
The report cited the 2025 Threat Roundup released in late January by California-based Forescout Technologies. It found that China accounted for 210 threat actor groups, roughly twice Russia's 112 and almost four times Iran's 55. Together, China, Russia and Iran represented 45% of the world's identified threat actor groups last year.
The rankings shifted compared with 2024. Russia's share of recorded attacks declined from 16% to 6%, while China's increased from 8% to 9%.
![Infographic showing year-on-year changes in China-linked cyberattacks targeting Taiwan's critical infrastructure in 2025. Chinese intrusions averaged 2.63 million attempts per day, with attacks on energy surging more than 1,000% and emergency services and hospitals rising 54%, according to Taiwan's National Security Bureau. [Wu Qiaoxi/Focus]](/gc9/images/2026/02/19/54691-2-370_237.webp)
State-sponsored groups primarily targeted governments and energy sectors. Their activities stemmed from espionage objectives, prepositioning for possible conflicts and the capability for physical disruption. Strategic value, rather than immediate financial gain, appeared to be the priority, the report said.
Bad actors increasingly use artificial intelligence in reconnaissance, vulnerability scanning and data exfiltration, raising the speed and scale of operations, said the study.
Detection has become more difficult as attackers combine "living off the land" techniques -- abuse of legitimate management tools already present in systems -- and supply-chain attacks via widely used software.
Threat to Taiwan
China-linked cyber activity has posed significant risks to Taiwan.
Chinese cyberattacks targeting government infrastructure averaged 2.63 million attempts per day last year, according to a Taiwanese government report from January, "Analysis on China's Cyber Threats to Taiwan's Critical Infrastructure in 2025."
This figure represents a 6% increase from 2024 and a staggering 112% jump from 2023 levels.
The 2025 data highlight a massive shift in targeting. Compared to 2024, the most significant growth in attacks occurred in the energy sector, which saw a more than 1,000% increase.
Attacks on emergency services and hospitals rose sharply too, growing by 54% over the same period.
Taiwan's National Security Bureau (NSB), author of the study, identified a wide range of offensive tactics used in these campaigns. The attacks included software and hardware vulnerability exploitation, distributed denial-of-service operations, social engineering and supply-chain intrusions.
China has conducted comprehensive intrusions into critical infrastructure in a bid to interfere with or disrupt governmental and social operations.
These actions align with Beijing's broader strategic objectives in both peacetime and war, the NSB said.
US, S. Korea also under threat
Such operations appear designed to prepare for potential conflict, say observers. Chinese hackers have infiltrated US infrastructure systems, including water, power and transportation networks, with some intrusions lasting at least five years, Tim Haugh, former director of the US National Security Agency, told the US news program "60 Minutes" late last year.
The activity suggested preparation for war rather than pursuit of economic gain, he said.
South Korea has faced similar risks. Investigators discovered that suspected Chinese infiltrators had infiltrated the government workflow platform Onnara System for almost three years, from 2022 to 2025, Chosun Biz reported in February.
Attackers stole civil servants' certificates and passwords, allowing them to impersonate legitimate users and access administrative networks, South Korea's National Intelligence Service said.
The agency has said that while North Korea accounted for the largest numerical share of state-backed hacking targeting South Korea in 2022 through 2024, China's share exceeded 20% when measured by the severity of attack.
The current international environment has virtually no treaty or binding authority over "state-on-state cyberattacks," Park Chun-sik, a cybersecurity professor at Ajou University in Suwon, South Korea, told Chosun Biz.
"In such a structure, countries have no choice but to build cyber capabilities that include both offense and defense," he said.