Discover the 3 Worst Chinese Hacker Groups: Methods and Targets

Types of Cybercrime

Discover the 3 Worst Chinese Hacker Groups: Methods and Targets

Key Points

  • Chinese hacker groups are some of the most sophisticated and notorious in the world, often engaged in cyber-espionage and financially motivated attacks.
  • The three worst Chinese hacker groups are APT41, APT10, and APT27, known for their long-term objectives, adaptability, and use of various tactics such as spear-phishing, malware, and watering hole attacks.
  • APT41 has stolen trillions of dollars in intellectual property, targeted the US government and private companies, and engaged in cyber-espionage and financially motivated attacks.
  • APT10 specializes in stealing intellectual property, cyber-espionage, and targeting big private companies in the West, while APT27 has a broad spectrum of tools and tactics, including watering hole attacks, living-off-the-land attacks, and spear-phishing.

Cybersecurity is a growing field of study and an increasing concern of the major powers of the world. There is not a single world power today that doesn’t have entire departments dedicated to protecting their secrets, military developments, and technological advancements from hacker groups that seek to steal them. Chinese-associated hacker groups are some of the most sophisticated and the most notorious.

While hacker groups can have different allegiances or receive funding from different places, the most dangerous tend to be associated with governments. Particularly, rival governments tend to spy on each other, offering financing to hacker groups to infiltrate both government systems and private companies. This article will focus on the three worst Chinese hacker groups, their methods, key targets, and an estimate of how much damage they’ve caused.

Advanced Persistent Threats

Yes, we know what you’re thinking. It is a weird name, but there are a few reasons why the Cybersecurity and Infrastructure Agency (CISA) labels a group an “advanced persistent threat” (APT). These are adversaries with great levels of expertise and significant resources to achieve their objectives through various means, including cyber and physical attacks. 

The main characteristic of these groups is that they pursue their objectives over long periods of time and can adapt to overcome the resistance that their targets may pose. These objectives include data theft, espionage, and widespread system disruption. The following Chinese hacker groups fit within this definition.

Brief Overview

Let’s quickly look at the basic facts we’ll be talking about. The table below summarizes these hackers’ focus, key targets, and the methods they are known for using. 

Hacker GroupFocusKey Targets
APT41 Cyber-espionage and financially motivated attacksHealthcare, technology
gaming companies, IT services
APT10 Cyber-espionage and intellectual property theftAerospace, defense, technology, and healthcare sectors
APT27Cyber-espionage in both the public and private sectorsAerospace, defense, and travel sectors
Hacker GroupNotable ActivitiesMethods
APT41Data theft, ransomware attacks, supply chain compromises,
cyber-espionage and financial theft
Phishing, malware deployment, credential theft
APT10 “Cloud Hopper” campaigns targeting managed IT service providersSpear phishing, watering hole attacks, credential theft
APT27Covid phishing scams, stealing data from US intelligence agenciesSpear phishing, watering hole attacks, remote code execution, living-off-the-land attacks

#1 Chinese Hacker Group: Advanced Persistent Threat 41 (APT41)

the dark web hooded hacker
Advanced Persistent Threats are generally funded by governments.

Advanced Persistent Threat 41 is a particularly interesting case, as it can seamlessly change between cybercrime, believed to be sponsored by the Chinese government, and financial crimes that seek personal gain. Though they are often associated with or linked to Operation Aurora, which took place in 2009, they probably emerged more formally around 2012. The Chinese government probably sponsors them, but it likely didn’t create it, and they’ve stolen trillions of dollars in intellectual property for them.

MethodsCyber-espionage, supply-chain attacks, data theft, ransomware
Relevant TargetsHealthcare, gaming, technology, various industries
Notable OperationsOperation Aurora (2009)
Approximate Monetary DamageTrillions of USD
AliasesWinnti, Double Dragon, BARIUM, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Winnti Umbrella

APT41 Key Tactics

As we noted, Advanced Persistent Threat 41 mainly focuses on cyber espionage, but they also engage in financially motivated attacks. To these ends, they rely on a few key tactics. The main ones are spear-phishing, malware, and ransomware attacks.

Spear-phishing is a classic tactic that consists of sending a message crafted to gain the confidence of a particular individual to then entice them to click on a malicious link which oftentimes steals their personal data. It can also have the objective of making the receiver download a malicious file that could contain a virus or other such programs. 

Malware oftentimes goes hand in hand with phishing. It stands for “malicious software,” and refers to any software designed to infiltrate your computer without your consent. Viruses, trojans, and other known programs fall under this category. The main kind of malware that Advanced Persistent Threat 41 employs is ransomware. 

Ransomware is a kind of financially-motivated malware. After you download it, it encrypts your personal data and asks you to pay a very expensive ransom to get it back. This is a classic of hackers around the world, targeting big companies that can’t afford to lose company secrets. 

APT41 Key Targets

APT41’s main target is the United States Government, with a particular focus on entities that hold privileged information on geopolitical strategies or diplomatic communications. Additionally, it targets the aerospace and defense industry and the government entities related to those areas seeking to steal information on the latest defense technologies developed. The Chinese government likely sponsors them to gain sensitive information on military contracts and other information that would violate the national security system.

Google suspects they were behind Operation Aurora, in 2009. This was probably the first big worldwide hacking operation that made the news. APT41 targeted the most important private companies and government entities of the US and its allies. Some reported that even if this came to light in 2009, this attack was part of an ongoing effort since 2002! This makes estimating the damages impossible.

When Advanced Persistent Threat 41 is not stealing information for the Chinese government, it’s generally targeting private companies in different sectors, such as the gaming industry and companies in the technology or IT services areas. Google and Microsoft, for example, have both been targets of APT41. While the reasons why they would want to gain access to the largest telecommunications networks in the world might seem obvious, their attacks on the gaming industry are less so. 

The Winnti Group

The Winnti Group is an arm of APT41 that has been in operation since around 2009. They started out stealing and selling in-game assets and currencies which they could then trade on the black market for real money. This seems ridiculous until you consider the multi-million dollar size of in-game economies like that of World of Warcraft. The group has since expanded its objectives to include the IT and healthcare sectors in the United States. One focus is stealing patient records and medical data that they can sell on the black market.

They also interfere with the functioning of supply chains around the world, as they did with CCleaner’s supply chain back in 2017. They’ve developed a suite of software called Winnti Malware that is not only riddled with viruses and trojans, but also allows them to remotely control computers. In this case, the Winnti Group compromised CCleaner’s download servers and distributed a malicious version of the software. The idea is to install malware into a program before the developing company itself distributes it. This way their viruses reach more users.

2# Chinese Hacker Group: Advanced Persistent Threat 10 (APT10)

system hacked malware cybersecurity data security ransomware
APT10 focuses on stealing intellectual property.

APT10 came up in 2009, though according to the FBI, there is some evidence that points to them being active even earlier. They’re primarily known for stealing intellectual property and targeting big private companies in the West. They also specialize in cyber-espionage, seeking to steal sensitive information for the Chinese government

MethodsCyber-espionage, spear phishing, watering hole attacks, supply chain compromises
Relevant TargetsAerospace, defense, technology, managed IT service providers
Notable OperationsOperation Cloud Hopper (2014-2017)
Approximate Monetary DamageMany billions of USD
AliasesSTONE PANDA, Menupass Team, Granite Taurus, happyyongzi, POTASSIUM, Red Apollo, HOGFISH, Cloud Hopper, BRONZE RIVERSIDE, CVNX

APT10 Key Tactics

All Chinese-sponsored hacker groups use similar tactics. APT10 also employs spear phishing as one of its main tactics, sending malicious emails and messages through the web. However, they also use watering hole attacks and zero-day exploits to advance their objectives. 

Watering hole attacks aren’t as common as phishing, though they have a similar mode of operation. First, the hackers compromise a website that the target of the attack will probably access. Then they infect the site’s code with malicious material that can compromise the system of anyone who enters the website. The point is generally to steal sensitive data such as passwords.

Zero-day exploits are more inventive. Imagine you’re a development company and you roll out a new update for your program. Hackers can scan your new code for new vulnerabilities and attempt to compromise your program using those vulnerabilities, as you’ve had zero days to patch them. This is generally a very effective attack because zero-day vulnerabilities can often grant full access to a database or program, and this is why companies such as Microsoft are constantly rolling out updates on their operating systems.

APT10 Key Targets

Advanced Persistent Threat 10 made themselves known for two major hacking campaigns. The first, named Operation Cloud Hopper, was conducted mainly between 2014 and 2017. The hackers sought to access the networks of managed IT service providers such as Hewlett Packard, IBM, Fujitsu, Tata Consultancy Services, NTT Data, and other tech companies. In this attack, they got into the private networks of many of the major tech corporations of the world, allowing APT10 to steal sensitive company secrets worth potentially hundreds of millions or even billions of dollars. Accessing such huge networks gave hackers access to all of the network users’ data as well, so the actual damages could be enormous.

They were also the main group behind the targeting of Japanese government entities and private corporations in 2016. Their main objective was to steal intelligence about Japan’s defense capabilities. As Japan’s army can constitutionally only be used for defense, their target was the whole Japanese military. They continue their efforts today, mainly targeting the defense sector in the United States. 

3# Chinese Hacker Group: Advanced Persistent Threat 27 (APT27)

APT 27 often targets the aerospace industry.

APT27 has operated since around 2013, though it first came into the spotlight in 2015 after stealing “trillions of bytes of confidential data” from the US government and its private defense contractors. The operation was dubbed “Iron Tiger” and it quickly turned the group into a public enemy of the US. They are also famous for breaking into foreign embassies to extract secret information for the Chinese government, which not many Chinese hacker groups dare do.

MethodsSpear phishing, watering hole attacks, remote code execution, living-off-the-land attacks
Relevant targetsThe aerospace industry, foreign embassies, US intelligence agencies, and defense contractors
Notable OperationsOperation Iron Tiger
Approx. $ DamageMany Billions
AliasesIron Tiger, Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, LuckyMouse

APT27 Key Tactics

This group has the broadest spectrum of tools and strategies out of all the ones we’ve talked about, with the possible exception of APT41. APT27 became famous for using watering hole attacks to target foreign embassies, such as Russia’s embassy in the USA in 2015.

They’ve also used a kind of attack that is uncommon among Chinese hacker groups, called “living off the land.” This means the hackers refrain from installing any programs of their own, using only the tools already installed in the system to carry off the attack. Thus, they are “living off the land,” or using what they find to carry out their mission.

The hackers use previously existing vulnerabilities to get access to a system, and then they use tools like Powershell, which comes with the Windows operating system, to modify some code and achieve their objective. They’ve used this method to steal weapons technology from the US government.

Of course, the classic tactic of these kinds of Chinese hacker groups is spear-phishing. APT27 used this tactic during the COVID-19 pandemic to install malware onto people’s computers. They would send a thematic email with a nice-looking PDF attached. Even after downloading the document, you probably wouldn’t realize that it wasn’t a PDF at all, but instead a different kind of document that allowed the hackers to steal your passwords, usernames, and bank data.

When they seek to steal personal data, they usually do so by email. When they seek to steal government or company secrets, however, they use high-powered artillery. For example, they’ve used backdoor-finding software called HyperBro for their living-off-the-land attacks, as well as a more complete state-of-the-art malware called SysUpdate.

APT27 Key Targets

APT27 doesn’t just focus on the US. Their targets are all around the world, including Germany, Turkey, and other countries in all the major continents. They appear particularly interested in technology, travel, and electronics, and they’ve targeted major private companies searching to steal any information related to those areas.

Microsoft is a common target of Chinese hacker groups, and the APT27 alias LuckyMouse is suspected of using Microsoft Exchange vulnerabilities to compromise email servers all over the world. LuckyMouse is also suspected of hacking the Mongolian government.

Researchers believe that APT27 was behind the 2021 attacks that compromised at least nine organizations in the healthcare, defense, technology, energy, and education sectors. The group exploited a critical vulnerability in an enterprise password management system and single sign-on solution developed by Zoho. Successfully exploiting the flaw would have allowed remote attackers to execute code to take full control of these systems.


The cybersecurity landscape is constantly evolving, and with that change comes new threats. Advanced Persistent Threats, as the US government calls them, are malicious hacker groups that make money stealing data and government secrets and selling them to foreign entities. Many times, governments finance these hacker groups to spy on their geopolitical enemies. Other times, these hackers act out of their own volition, generally looking for financial gain. 

APT10 and APT27 are prime examples of Chinese-sponsored groups whose primary intent is to infiltrate the United States government or its allies. Japan, being close to China, is also one of their main targets. Foreign entities want to know the latest technological developments of their rivals, and this entails accessing private companies as well, such as defense contractors or IT services providers. 

APT47 is a case of more selfishly driven actions but on a broader scale. What happens is that these groups start out as small associations looking to steal money, but once they start receiving funding from the Chinese government, they turn into huge corporations of criminals with little to no moral code. 

The National Security Agency and the Federal Bureau of Investigation in the United States lead the fight against them, though other NATO countries have also joined in their efforts. While more and more countries are starting to develop cybersecurity agencies, it doesn’t seem like these hacker groups will go away anytime soon.

Frequently Asked Questions

What is an APT?

An Advanced Persistent Threat is a well-funded adversary engaged in sophisticated, malicious cyber activity aimed at long-term network infiltration. This is the technical term for a very dangerous and capable hacker group.

What are the common targets of APTs?

Their main targets are government agencies and defense contractors. This often includes private companies that, if infiltrated, can grant access to wider networks. Some hacker groups also focus on financial crimes, including the theft of medical data they can sell on underground markets.

What is a phishing attack?

A phishing attack is when a hacker designs a message to make it seem trustworthy. One day you might open your email and find that a distant family member has contacted you or that your bank has sent you an email asking you to click on a link or download a file. If you fall for it, these groups can then infect your computer with malicious software and steal your data, ask for a ransom, or leak your private passwords.

What is a zero-day vulnerability?

Companies are often constantly updating their software. Take, for example, your operating system, which generally needs to be updated at least monthly. This is because hackers are constantly looking for vulnerabilities in the code. However, many times hackers can find a way in within the first day that an update is released. This gives them a way to infiltrate that software without the company being able to do anything.

Are APTs always sponsored by a government?

Short answer, no. In general, hacker groups tend to start out as small organizations that seek to make money illegally. They only turn into huge groups once they start receiving funding from a government interested in using their knowledge to attack an adversary. There are some notable exceptions, though they are rare.

To top