China-linked cyber espionage surged 150% last year, with signs Beijing is preparing to disrupt critical infrastructure tied to Taiwan’s defence, according to CrowdStrike’s 2025 Global Threat Report.
Cyberattacks targeting key industries—financial services, media, and manufacturing—rose by 300%.
On a conference call last week, ahead of the report’s release, Adam Meyers, CrowdStrike’s head of counter adversary operations, called China’s escalation “one of the most important and terrifying stories” in the report.
He warned: “China has invested in its cyber capabilities for decades and is now on par with the best in the world. They have made it clear they intend to unify with Taiwan—by military force if necessary.”
Meyers noted that recent attacks suggest China is pre-positioning itself to disrupt logistical support in a potential Taiwan conflict.
“If war broke out, the US would deploy carrier strike groups, which rely on fuel, water, food, and ammunition. We’ve seen cyberattacks targeting those logistics—that’s a big concern.”
The cyber expert adds that China’s threat actors are also becoming more specialised, targeting industries like telecom and law—a sign of their growing sophistication.
They are also becoming stealthier, shifting from “smash and grab” tactics to evading detection through operational relay bases and obfuscation techniques.
“The scale is vast—Chinese-linked hackers were found across every sector and region last year. CrowdStrike’s team alone disrupted 330 such intrusions,” he said.
Are Gen AI powered cyberattacks on the rise?
In total CrowdStrike’s 2025 global cybersecurity report identified 257 new threat actors and 140 activityclusters (unnamed adversaries), highlighting an expanding threat landscape.
Notably, new nation-state actors from countries such as Egypt and Kazakhstan have entered the cyber warfare arena, drawn, as CrowdStrike’s Meyers speculates, “by the deniability and collective nature of cyber operations”.
Adam Meyers, CrowdStrike’s head of counter adversary operations
The report also warned of the rise of GenAI-powered cyberattacks, particularly in social engineering. AI-driven phishing and impersonation tactics fuelled a 442% surge in voice phishing (vishing) in the first half of 2024.
Sophisticated criminal cyber groups such as Curly Spider, Chatty Spider and Plump Spider, for instance, have leveraged social engineering tactics to steal credentials, establish remote sessions, and evade detection.
“Voice phishing is just social engineering—nothing new,” Meyers explained.
“But the increase shows how adversaries are shifting tactics, targeting the weakest link. It’s a two-way attack: they spam-bomb an organisation and then pose as the help desk—or vice versa—to reset credentials and bypass multi-factor authentication (MFA), gaining access at will.”
Nation-state actors are also embracing GenAI, the report noted, with Iran-linked threat groups, for instance, using AI for vulnerability research, exploit development, and patching domestic networks.
Additionally, CrowdStrike observed a rise in North Korea-aligned adversaries posing as legitimate job seekersto gain system access, conduct malicious activity, or generate revenue. These gangs use AI voice and image techniques to mask their real identities and this tactic accounted for 40% of the 304 incidents attributed to notorious N Korean gang Famous Chollima in 2024.
Unpatched vulnerabilities: the number one entry point?
Despite evolving attack techniques, unpatched vulnerabilities remain the most common way adversaries gain access to enterprise networks. Last year was no different with CrowdStrike’s report finding that 52% of observed vulnerabilities were linked to initial access exploitation.
With the sheer volume of security alerts and patches facing SOC teams, Meyers advises security managers to take an “adversarial approach” rather than a purely critical approach when prioritising patches — focusing on the threats most likely to be exploited.
Record-speed lateral movement
The report also observed the rapid pace of lateral movement within compromised networks. The report found that the average eCrime breakout time has dropped to just 48 minutes, with the fastest recorded instance taking 51 seconds—leaving defenders little time to react.
While financially-motivated cybercriminals tend to adopt ‘smash-and-grab’ tactics once they’re on the networks, nation-state actors tend to be more patient, says Meyers, often lurking within a network for extended periods before executing their objectives.
Meyers, a senior executive at the company, appeared before a US congressional committee last September to answer questions about its faulty software update that disabled millions of PCs on 19 July.
Meyers said the company would continue to act on and share “lessons learned” from the incident to make sure it would not happen again.
