Note: Quotes have been edited for clarity.
After decades of tracking Chinese nation-state actors, cybersecurity veterans have never witnessed the scale and sophistication of threats we're seeing today. Organizations must fundamentally rethink their defensive posture to counter this escalating campaign.
The New Reality of Attacks at Unprecedented Scale
In a recent conversation on the Threat Vector podcast with host David Moulton, Chief Security Intelligence Officer Wendi Whitmore, of Palo Alto Networks, puts today's threat landscape in stark historical perspective:
I have been conducting investigations in this space specifically toward nation-state actors for almost 25 years. It's been a while, and we have never seen during that time frame, the scale of persistent threat activity that we're seeing today from Chinese nation-state threat actors.
Recent data validates this assessment. Chinese cyberattacks on Taiwan government departments doubled in 2024 from the previous year to an average of 2.4 million attacks a day, while China-nexus activity has surged by 150% overall. The numbers tell only part of the story – attackers now operate with unprecedented speed.
"We're looking at within hours, and in some cases minutes, of mass vulnerabilities being identified and then systems, applications and services being identified for future exploitation," Whitmore explains. This acceleration mirrors data from the Unit 42 Incident Response Report, which shows software and API vulnerabilities now account for 38.60% of initial access in attacks, up from 28.20% the previous year.
Testing Infrastructure for Future Conflict Beyond Traditional Espionage
Chinese threat actors aren't just stealing data, they're positioning themselves strategically. Whitmore describes operations that span entire governments: "Last year, we released research on about 23 different government organizations in Cambodia being compromised at nearly the same time. So we're looking at whole-of-government scale operations."
The targeting extends globally with calculated precision. "If you're an ally of the Chinese government, you are just as likely to be impacted by espionage as people who are not on the top of that ally list," Whitmore notes. Attacks by Chinese Communist Party (CCP) backed groups into U.S. critical infrastructure have been used periodically to test access to systems and see whether vulnerabilities get patched, indicating threat groups are lying in wait.
Additionally, the geographic focus reveals strategic intent. Many of the attacks have targeted critical infrastructure in Guam and the West Coast of the U.S., likely indicating the CCP's focus on Taiwan and ensuring the U.S. cannot efficiently respond to potential conflict scenarios.
Where Technology Meets the Human Factor
Whitmore emphasizes that cybersecurity challenges extend far beyond technical solutions. The human element creates both vulnerabilities and opportunities that organizations must address comprehensively.
Critical Human Vulnerabilities
- Password reuse across environments: "What you have is administrators who have a tough job to do. They're pulled in a million different directions, and so what happens? They sometimes reuse passwords both within the corporate IT environment, as well as the industrial control systems environments."
- Operational priorities conflict: Legacy systems "were not designed with security in mind. They were designed with uptime and availability as their primary goal."
- Cultural resistance to change: Organizations need "a cultural mindset shift" to effectively integrate security into operational technology environments.
The Human Solution Framework
- Comprehensive stakeholder involvement: Effective preparation "cannot be just security professionals who are involved in that. It really needs to be from the boardroom to the security operations center."
- Extended ecosystem engagement: Include "Partners, vendors, external counsel, law enforcement, and even better yet, bring the regulators into the dialogue."
- Relationship building before crisis: "The most prepared organizations we see are having that level of dialogue, preparedness and making sure that those relationships are in place in advance of an attack."
The Indiscriminate Data Grab Strategy
Today's attackers have abandoned selective targeting for wholesale collection. The Unit 42 report reveals that 93% of cases investigated revealed indiscriminate data theft in 2023, up from 81% in 2022 and 67% in 2021. This shift reflects both automated tool availability and attackers' recognition that bulk data often reveals valuable targets when analyzed later.
Whitmore describes the threat actors’ scale:
Their ability to operate and collect information and data at scale – whether it's from critical infrastructure entities, whether it's for corporate espionage purposes, whether it's simply data collections to be used for a later time.
Breaking Down Barriers Through Human Connection
Despite escalating threats, Whitmore identifies effective intelligence sharing as a significant improvement driven by human relationships and crisis catalysts. "I do think intel sharing is happening more effectively than ever before," she explains. "People are in Slack channels together. They're on the phone together on a daily basis, sharing information in real time."
The transformation stems from a shared purpose of overcoming competitive barriers. "The Russia-Ukraine invasion really was a catalyst for a lot of that," Whitmore notes. "When it actually came time to say, ‘Wow, okay. There are people's lives we need to protect here.’ I think a lot of those barriers broke down between competitors in particular."
For intelligence sharing to succeed, Whitmore emphasizes it "needs to be contextualized and actionable, and it can't be slow and gated and working through bureaucratic means."
Preparing for AI-Accelerated Threats
Generative AI played a pivotal role in enabling many malicious attacks during 2024, from creating convincing fake job candidates to disrupting elections. Whitmore advocates for defensive AI adoption but clarifies the human role: "Organizations should be fighting AI with AI, but that term can be misinterpreted or it can be kind of ambiguous."
Her vision balances automation with human expertise:
Organizations need to be looking at, on the defensive side, how they implement AI into their workflows to give them increased visibility and increased speed to detect threats. There is no way that we are going to defeat these adversaries if we are working at manual speed and not taking as many of the manual tasks away from humans – letting machines do those and letting humans do what we do best, which is work on solving the most challenging problems.
Comprehensive Scenario Planning, Beyond Technical Exercises
Effective preparation requires thinking beyond immediate organizational boundaries. Whitmore describes comprehensive planning: "They're not only looking at: What happens if our organization goes down? But, they're looking at what if one of my most critical supply chain providers goes down? What do we do then? How do we communicate with them during this event?"
The planning must address practical details, she notes: "That's everything from the hardware that may be required to run the network, to what email devices [or] what email accounts are we going to communicate from, right? All of those are things that should be included in that preplanning."
Real-world examples demonstrate the scope required. Whitmore describes the Olympics preparation: "We worked with critical infrastructure providers who are providing power to the games, transportation, rail lines, airways, buses, infrastructure providers … like the actual physical security at these events. And then all of the financial processing systems."
“Shields Up” — The New Normal Requires Human Leadership
"Cybersecurity has never been more important than it is today," Whitmore concludes. "Know that other nation-state adversaries throughout the world are leveraging cybersecurity to attack us, to attack our allies. And investments need to be made in making sure their defenses are consistent with a shields-up posture all of the time."
Organizations can no longer treat cyberthreats as episodic risks requiring only technical solutions. Success demands human leadership that recognizes relationships, communication, including cultural change as essential components of effective cybersecurity. As the Unit 42 Incident Response Report shows, attackers are moving toward "more technologically advanced – and perhaps more efficient – infiltration methods," making the human aspects of preparation, coordination and rapid decision-making as critical as any technology deployment.
The scope and sophistication of Chinese nation-state operations demand recognition that cybersecurity is fundamentally a human challenge enabled by technology, not the reverse.
Beyond Technical Fixes
The unprecedented scale and sophistication of today's cyber threats, particularly from Chinese nation-state actors, demands more than incremental improvements to existing defenses. Organizations need comprehensive strategies that combine advanced technology with strong human leadership, proactive relationship building, as well as cultural transformation.
As Whitmore emphasizes, "Cybersecurity has never been more important than it is today." The question isn't whether your organization will face these threats, but whether you'll be prepared when they arrive.
Ready to Learn More?
For deeper insights into threat trends, attack methodologies, and defensive strategies, dive into the complete Unit 42 2024 Threat Report.