The threat posed by China-backed groups to enterprises is at an unprecedented level and continues to be underappreciated, according to experts in the field.
Kevin Mandia, founder at Ballistic Ventures and former CEO at Mandiant and cybersecurity reporter and author Nicole Perlroth unpacked their personal experience responding to attacks by China-based groups in a live conversation at RSAC Conference 2025.
Perlroth and Mandia focused heavily on the threat posed by China-backed threat groups.
“China’s almost doubled their aggression in cyber because there’s no agreed upon rules of engagement,” Mandia stated, adding that he’s not confident that such rules could ever be agreed upon.
To illustrate how the threat China poses to Western organizations has worsened over time, Mandia recalled a cyber attack response he led in 1996 in which a number of US Air Force bases were compromised by Beijing-based attackers.
In this instance, the threat actors routed through a West Coast university IP address linked to a former Chinese international student.
“I’ve had three or four cases in my life, where I had no remediation plan,” Mandia said.
“In 1996, when you see Marine, Army, DoE, and Air Force systems all compromised, 37 of them in a day. What was your remediation plan? You didn’t have a phone number to call.”
Perlroth began to report on cybersecurity in 2010 and attested to the slow work involved in getting organizations and governments to publicly recognize the risk these China-based, advanced persistent threats (APTs) posed.
Up to this point, Perlroth said, publications had failed to connect the dots between these attacks and coordinated campaigns by the Chinese government, with Mandia adding that Mandiant clients weren’t yet sold on the idea that a nation state would bother to hack them.
Things began changing when Mandiant published a report into APT1 listing 141 victims the group had breached, evidence linking the group to the Chinese military, and details on its infrastructure and indicators of compromise (IOCs).
“We did it to genuinely push the agenda of ‘China’s literally hacking everybody, and nobody knows it’,” Mandia said. Today, China is publicly blamed for attacks on government systems and linked to known APTs.
Today, Western governments have been more outspoken in linking China to cyber attacks and sanctioned organizations linked to malicious cyber activity. Despite this growing awareness of the threat posed by China-backed groups, Perlroth said people still don’t have a firm grasp on the extent to which China has infiltrated enterprise systems primarily for IP theft purposes.
When critical infrastructure is hacked, Perlroth said the aim may simply be to breach, remain undetected, and potentially siphon more credentials:
“We haven’t seen them jump over to the OT yet, you’ve heard these public comments from government officials that we know they have the capability. We haven’t seen it yet, but it’s very clear that they’re there waiting.
“I think the most generous theory is mutually assured digital destruction – we’re all holding guns to each other’s heads, daring the other to shoot first. And it’s our new form of deterrence.”
Perlroth warned that this could be used in the case of a geopolitical upset, to cause the equivalent of four or five attacks on the scale of the Colonial Pipeline breach.
It’s clear there’s still more to unpack in the behavior of China-backed groups. Perlroth pointed to the example of the Littleton Massachusetts Water Department, which was recently breached by Volt Typhoon despite the small stature of the organization.
In her phone call with the General Manager, he questioned how the attack could possibly benefit the threat group.
“That’s the question we should all be reckoning with right now: Why is China compromising the little local water electric utility department in Littleton, Massachusetts?”
“Hygiene does matter”
Looking at the threat landscape more broadly, Mandia predicted a rise in cyber crime driven by geopolitical tensions and rising economic turmoil, as people looked to obtain funds using cyber attacks and nation states offered sovereign hackers safe harbor from US extradition.
Stating the US has “basically a trade war going on”, Mandia warned security teams will be ordered to tighten their belts by CEOs cutting discretionary spending.
“You should all, in security, be thinking ‘How can I meet the expanding threat landscape by using the same resources or even less?’”
Using AI to boost security productivity and oversight has been a running theme at RSAC Conference 2025 and Mandia agreed that the technology could be used to help security teams meet their goals amid these budget cuts. He advised attendees to leverage AI to whatever extent they could, before they lose resources.
Mandia also freely admitted that he had changed his tune on cyber hygiene, having argued for years that it was good practice to follow but largely meaningless in the face of the most sophisticated threat actors.
“Hygiene does matter, I finally got there,” he told attendees.
“It absolutely does, it always has – I just ignored it because I saw the upper echelon attacks and said ‘Great hygiene wouldn’t help much here’. I was wrong.”
By way of explanation for his change of heart, Mandia stated that some of the most damaging breaches happening right now are the result of N-day vulnerabilities – exploits for which a fix has already been released – and therefore could be fixed with proper patch management and cyber hygiene.
Mandia also stressed there is a clear need for identity controls at an enterprise level, particularly as organizations move to use everything at their disposal to fend off automated attacks.
“I advise all security professionals to constantly revisit their identity security posture and impact it, either directly because you’re in charge of it, or indirectly with your government and subject matter expertise to lock it down,” he said.
Without proper identity management and a controlled environment that can detect suspicious lateral movement, Mandiant warned that organizations could already be breached and not know it.
MORE FROM ITPRO
Source link
-
-
-
-
-
-
-
-
