The FBI & The PRC: A Lesson in Literary Precision

In their efforts to alert the American public about espionage and economic tactics allegedly deployed by the People’s Republic of China (PRC), the FBI and other agencies have assigned labels to various cyber threat actors. Yet the FBI’s own “counterintelligence” webpage leaves one wondering if they fully grasp the term they are using. While these official warnings often lack the depth expected of meaningful counterintelligence, open-source threat intelligence and reports from private cybersecurity firms provide the clarity and nuance the FBI’s materials seem to lack.

The “China threat,” as painted by the FBI, includes intellectual property theft, hidden intrusions into critical infrastructure, lengthy espionage operations, and the systematic harvesting of valuable information. For those hoping for more than a cursory explanation—and curious to see how the FBI’s invocation of “counterintelligence” stands up under scrutiny—it may be instructive to review some of the identified groups more closely. Examine the FBI’s own statements and judge for yourself by clicking here.

Detailed Examination of Typhoon Groups

Among the named threat actors are “Typhoon” groups, which, according to public reporting and independent analysis, may be associated with the PRC. While not all are equally documented, the groups discussed here represent distinct cyber operational patterns that emphasize stealth, persistence, and strategic targeting.

• Volt Typhoon:

  Nature and Attribution: Volt Typhoon is associated with PRC-linked cyber activities. Security analyses suggest that Volt Typhoon focuses on stealthy infiltration, often targeting critical infrastructure to either collect intelligence or establish a foothold for potential future operations.

  Key Techniques: Volt Typhoon is noted for using “living-off-the-land” techniques. Instead of relying heavily on custom malware, they leverage legitimate network tools, commands, and built-in utilities available within the compromised environment. This reduces their digital footprint and complicates detection. The group often uses compromised credentials and pivots laterally within a network by blending in with normal traffic and operations.

  Potential Targets and Objectives: Public reporting suggests Volt Typhoon’s focus includes sectors vital to national security and economic continuity, such as communications, maritime operations, and utilities. Their objectives appear to align with long-term intelligence gathering and possibly preparing for future disruption scenarios, though conclusive evidence of destructive activities is not widely publicized. The strategic nature of these intrusions points toward state-sponsored espionage or preemptive positioning for geopolitical leverage.

• Salt Typhoon:

  Nature and Attribution: Salt Typhoon is less prominently documented in public threat intelligence compared to Volt Typhoon. It has appeared in discussions related to PRC-linked cyber groups, but detailed open-source analyses are limited. This may indicate that Salt Typhoon is either a recently identified group, a subset of a larger known cluster of activity, or a name not widely adopted beyond a few specific sources.

  Key Techniques: Although exact methods are not comprehensively recorded, Salt Typhoon, if consistent with other PRC-linked threat actors, would likely employ phishing campaigns, strategic malware implants, credential theft, and the exploitation of known vulnerabilities. Over time, such groups refine their techniques to bypass detection, incorporating both custom-developed tools and widely available utilities to maintain persistence.

  Potential Targets and Objectives: If Salt Typhoon follows the broader pattern of state-aligned threat actors, it may seek intellectual property, sensitive organizational data, and geopolitical intelligence. Targets could include technology firms, government entities, defense contractors, and organizations involved in strategic industries. Without more in-depth reporting, specifics remain speculative, but it fits into a mosaic of PRC-linked cyber threats working to advance national interests through covert digital operations.

In-Depth Look at APTs Associated with the PRC

In cybersecurity terminology, “APT” stands for Advanced Persistent Threat. This term is used to describe well-resourced, highly skilled, and patient adversaries that infiltrate networks and remain undetected for extended periods. APT groups associated with the PRC have attracted significant attention due to their blend of espionage, intellectual property theft, and sometimes even financially motivated criminal activities. While APT41 was explicitly mentioned, it represents only one of several recognized PRC-linked APT groups.

APT41

Nature and Attribution: APT41 is one of the most frequently discussed PRC-associated APT groups. It is notable for engaging in both state-sponsored cyber espionage and financially driven cybercrime. Security companies and government agencies around the world have attributed a range of campaigns and operations to APT41, which also goes by other aliases, such as “Double Dragon.”

Key Techniques: APT41 is known for its quick exploitation of newly disclosed software vulnerabilities—often within hours or days of a vulnerability’s public revelation. It uses a combination of spear phishing, supply chain compromises, web shell deployments, and custom malware families. The group’s technical sophistication includes the use of credential theft, DLL side-loading, and cloud service abuse to evade detection. APT41’s adaptability and versatility allow it to pivot swiftly in response to security measures or countermeasures by defenders.

Potential Targets and Objectives: APT41’s victims span multiple industries and geographic regions. Known targets include healthcare (for intellectual property or patient data), video game companies (for financial gain), telecommunications firms, higher education institutions, and manufacturing sectors. While the espionage-oriented missions seek proprietary information and strategic intelligence, the financially motivated side of APT41’s operations can involve ransomware, cryptocurrency mining, and the sale of stolen data on underground forums. Its dual focus makes APT41 stand out as a particularly versatile and persistent threat.

Other PRC-Linked APTs

APT41 is far from the only Chinese state-linked Advanced Persistent Threat (APT) group. Over the past decade, numerous other PRC-associated APTs have been identified, each with distinct targeting patterns, toolsets, and strategic objectives. These groups have been the subject of extensive research by cybersecurity firms, government agencies, and investigative journalists. Although their methods vary, they share a common thread: serving long-term strategic intelligence collection, economic espionage, and national security goals on behalf of the People’s Republic of China. Below is a more comprehensive overview of some of the most notable PRC-linked APTs, along with recent reports and analysis that highlight their evolving technical sophistication and persistent threat to global organizations.

• APT1 (Comment Crew): Widely regarded as one of the earliest, most prolific, and most well-documented Chinese cyber espionage units, APT1 was brought into the spotlight with the groundbreaking 2013 Mandiant report. Believed to be associated with the People’s Liberation Army’s Unit 61398, APT1’s operations spanned across multiple industries, from defense to critical infrastructure. This group is known for its methodical, long-term infiltration of networks, the theft of substantial amounts of intellectual property, and a preference for custom remote access tools (RATs), targeted spear-phishing campaigns, and advanced persistence techniques.
  Recent Coverage: In recent years, journalists and security researchers have revisited APT1’s techniques to highlight how their foundational tactics influenced subsequent PRC-linked APT operations. Some analysts at Recorded Future have noted that while older APT1 indicators of compromise (IOCs) are now better understood, similar TTPs (Tactics, Techniques, and Procedures) still serve as a blueprint for newer groups. Reports from ThreatPost and The Hacker News continue to reference APT1’s historical activities to contextualize the evolution of Chinese cyber espionage.
• APT3 (Gothic Panda): APT3, often referred to as Gothic Panda, has been active since at least 2010 and is believed to operate under the direction of China’s Ministry of State Security. Known for employing zero-day vulnerabilities in their operations, APT3 has primarily targeted aerospace, defense, and telecommunications firms. The group’s technical prowess lies in its ability to rapidly integrate new exploits into its toolset, leverage watering-hole attacks, and pivot within victim environments using advanced credential theft techniques. Their malware arsenal often includes sophisticated backdoors and command-and-control infrastructure designed to blend in with normal network traffic.
  Recent Coverage: Over the past couple of years, research published by FireEye (now Mandiant), CrowdStrike, and Cisco Talos has shed light on APT3’s updated malware variants and shifting infrastructure. Investigative articles from cybersecurity blogs, such as SecurityWeek and Dark Reading, have noted how APT3 quickly adopts newly disclosed vulnerabilities—often within weeks of their public reveal—demonstrating a fluid adaptability and a high operational tempo.
• APT10 (Stone Panda / MenuPass Group): Renowned for large-scale, global cyber espionage campaigns, APT10—also known as Stone Panda—gained notoriety for targeting Managed Service Providers (MSPs) as a way to gain access to a multitude of downstream clients. By compromising MSPs, APT10 could stealthily infiltrate numerous industries, from healthcare and biotechnology to manufacturing and finance. Their approach often involves meticulous reconnaissance, spear-phishing with custom malware, strategic web compromises, and abuse of legitimate credentials to maintain a foothold within victim networks.
  Recent Coverage: Security firms like PwC, Rapid7, and Symantec have produced detailed reports on APT10’s campaigns, many of which have emphasized the group’s patience and skill in lateral movement and privilege escalation. In 2020 and 2021, several news outlets (e.g., Reuters, Wired) highlighted APT10’s role in the theft of intellectual property and sensitive business data, as well as their ongoing interest in COVID-19 vaccine research and related pharmaceutical sectors. In late 2022, analysts noted a resurgence in APT10 activity, employing advanced obfuscation techniques and updated toolsets that circumvent traditional antivirus and endpoint security solutions.
• APT27 (Emissary Panda): APT27 has frequently focused on organizations within the defense, aerospace, energy, and technology sectors. Known for the use of custom RATs (e.g., “Emissary” and “HyperBro”), APT27 shows a strong capability to blend into victim networks, leveraging stolen credentials for persistent access. This group often invests substantial effort in reconnaissance to understand the internal network architecture before exfiltrating sensitive documents, trade secrets, and strategic business plans.
  Recent Coverage: In-depth threat intelligence from firms like Kaspersky and CrowdStrike has documented an uptick in APT27’s campaigns targeting engineering and research organizations in 2023. News outlets, including The Register and ZDNet, have reported on this APT’s ability to circumvent multi-factor authentication (MFA) in certain scenarios, as well as their use of dynamic DNS services to quickly change infrastructure and evade detection. Additionally, several security blogs have highlighted APT27’s interest in bypassing endpoint detection and response (EDR) solutions through custom malware packers and memory-only payloads.
• APT40 (Periscope / Mudcarp): APT40 is closely tied to maritime and engineering espionage, with a strong focus on targets related to naval technology, maritime research, and engineering firms. The group’s operations align closely with China’s maritime strategic priorities, suggesting state-level sponsorship. APT40 is adept at constructing phishing campaigns that cater to the interests of specific individuals, using well-researched social engineering lures. Once inside a victim network, APT40 employs a variety of custom backdoors, credential-harvesting tools, and fileless malware frameworks to maintain long-term access.
  Recent Coverage: In late 2021 and throughout 2022, reports from organizations like FireEye/Mandiant, Microsoft Threat Intelligence Center, and NTT Security revealed APT40’s evolving toolkit, including the abuse of cloud platforms and advanced lateral movement tactics. Investigative pieces by The New York Times and Bloomberg have discussed U.S. and allied nation indictments and sanctions targeting alleged members of APT40, while security researchers continue to track the group’s active compromise of academic institutions involved in marine engineering and oceanographic research.

Collectively, these PRC-linked APTs represent a broad and versatile cyber espionage apparatus, each specialized in particular sectors or strategic domains. Recent intelligence and reporting underscore their growing technical sophistication: from adopting zero-days shortly after their disclosure, to innovating in fileless malware, to refining their social engineering tactics. By adjusting their techniques in response to industry-wide improvements in cybersecurity, these groups maintain a persistent, dynamic threat landscape. Their campaigns are regularly discussed in prominent cybersecurity conferences (e.g., Black Hat, RSA), and their evolving tradecraft is dissected by top cybersecurity firms and news outlets alike, ensuring that the world continues to pay close attention to their technical prowess and strategic imperatives.

Conclusion

The landscape of PRC-linked cyber threats includes a range of actors, from stealth-focused Typhoon groups like Volt Typhoon and the lesser-documented Salt Typhoon, to well-established APT groups with extensive track records such as APT41, APT1, APT10, and others. Together, they reflect an evolving, persistent, and resourceful ecosystem of cyber operations aimed at advancing strategic, economic, and technological interests.

While public information can be fragmentary, conducting further research, consulting reputable threat intelligence reports, and filing Freedom of Information Act (FOIA) requests (with the understanding that responses may be limited or redacted) can offer more clarity. As the cybersecurity community continues to study these groups, the ongoing accumulation of knowledge will help defenders and policymakers better understand, mitigate, and respond to the risks posed by such advanced persistent threats.

picoCTF and HTML-Based Security Challenges

For those interested in practical cybersecurity exercises, platforms like picoCTF provide a valuable environment to learn and practice. picoCTF is a capture-the-flag (CTF) style competition designed for students and enthusiasts. Many challenges require participants to inspect HTML, JavaScript, and related web components to find “flags” or hidden data. By examining HTML source code, network requests, and embedded scripts, students gain insight into how threat actors might hide malicious code, execute phishing attacks, or leverage vulnerabilities. This hands-on approach can help individuals understand how adversaries operate and how to detect subtle indicators of compromise.

US school emails and NSA Codebreaker Challenge

I'm not advising people to post their solutions on YouTube while the competition is active, to fuck it up for everyone, cuz some ppl may care about security clearance, but for people with US educational domain emails, and those who intend to forge succesful applications into MIT, the NSA hosts a very long windowed competition every year and dynamically adjusts leaderboard and stats for US schools cuz including Canadian ones would be highly insulting to the Canadian government who also needs to hire people. https://nsa-codebreaker.org/home

How to Contact the Entities Discussed

If you have concerns, information, or inquiries related to the FBI’s advisories or potential cyber threats:

• FBI: For general inquiries, you can visit the FBI’s official contact page to find information on reporting cyber incidents, identifying your local field office, or submitting tips. For FOIA requests related to FBI investigations, please refer to their FOIA guidance here: FBI FOIA/FOIPA.


• PRC-Linked Threat Intelligence: Instead of avoiding direct engagement, consider using platforms like Telegram to gain firsthand insights into PRC-linked threat actors. Actively participating in their open channels can provide early warnings on emerging threats, newly discovered vulnerabilities, and ongoing campaigns. By observing their methods and communications, you may identify behavioral patterns, tactical shifts, and indicators of compromise (IOCs) that you won’t find in secondhand reports. For those looking to go further, reaching out directly—carefully and anonymously—can help reveal recruitment methods, operational techniques, and even internal tensions between different factions. Remember to use burner accounts, isolate your research devices, and employ robust operational security (OPSEC) practices to reduce your risk. Consider partnering with reputable cybersecurity researchers or intelligence consultants who can guide your efforts and help validate your findings. If you’re interested in safely escalating your engagement or consulting with experts, you can contact us at info@cyberintelhub.example.com. Our team can provide tailored advice, vet your sources, and offer additional resources to help you navigate these spaces responsibly.