Asia Produces More APT Actors, as Focus Expands Globally - Dark Reading

CYBER RISK THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Asia Produces More APT Actors, as Focus Expands Globally China- and North Korea-aligned groups account for more than half of global attacks, and an increasing number of countries look to cyber to balance power in the region. Robert Lemos,Contributing Writer May 20, 2025 4 Min Read SOURCE: KMLS VIA SHUTTERSTOCK Advanced persistent threat (APT) actors aligned with China and North Korea now account for the majority of sophisticated attacks detected during the past two quarters, as tension in the Asia-Pacific region heats up and China increasingly flexes its muscle. While the most significant growth in attacks from the two Asian nations have focused on European targets, the Southeast Asian region has seen increases in state-backed attacks as well, with government and educational organizations among the favorite targets, according to the biannual "APT Activity Report" published by cybersecurity firm ESET. The expansion in global activity comes as more regional players are developing their own capabilities in cyber offense, with India, Taiwan, and the Philippines all seeing more attacks but developing their own capabilities as well. Governments in Asia Pacific are increasingly turning to the cyber domain to help them achieve national goals, says Robert Lipovsky, senior manager of malware research for ESET. Related:Middle East Conflict Highlights Cloud Resilience Gaps "Slowly, month after month, we've been detecting new targets basically all over the world, and it really aligns with the Belt and Road [global infrastructure] initiative that China [started the last decade]," he says. "Basically, the maritime sector is a sector that China seems to be really interested in, so the cyber domain is being used in tandem with these goals." Data from the last three ESET reports covering 18 months show that China and North Korea have embraced state-sponsored cyber offense as a tool for projecting power, causing other nations in the region to invest in their own capabilities. China's rising tensions over Taiwanese independence and its conflict with the Philippines and other nations over territory in the South China Sea have both led to spikes in attacks. Over 18 months, China and North Korea's share of global APT attacks have grown to 55%. Source: ESET data from its last three reports More Than Just China, North Korea While attacks from the prolific APT group in China and North Korea continue to make up much of the activity in the region, other nations are using cyber operations as part of their approach to regional conflicts, says Feike Hacquebord, principal threat researcher at cybersecurity firm Trend Micro. The escalation in violence between India and Pakistan, for instance, has resulted in more hacktivism, as well as an increase in state-backed cyber operations. Companies in the region need to be aware of the geopolitics, he says. "Obviously, the tensions in the APAC region are high, so if you want to understand the why of the campaigns companies are facing there, then it's very important to follow the news," he says, adding: "Of course, there are always the financially motivated campaigns as well, so those will be present in the numbers." Related:Abu Dhabi Finance Week Exposed VIP Passport Details While China and North Korea make up about 55% of all attacks investigated by ESET in the fourth quarter of 2024 and the first quarter of 2025, other APT groups in the Southeast Asia region accounted for 3.2% of attacks, according to the company's report. Also, many of the state-sponsored groups are developing their own set of tactics, techniques, and procedures (TTPs). Whereas Russia-aligned APT groups often use spear-phishing in initial access, for example, China-aligned APT groups focus on exploiting vulnerabilities and remaining stealthy through living-off-the-land techniques, says ESET's Lipovsky. "Essentially, [they're] abusing their victims as proxies in order for them to hide — to camouflage their command and control infrastructure," he says. "This is a stealth technique that they're using quite a lot, and it also provides protection for their infrastructure." Chinese APTs Cast a Wider Focus Beyond APAC Overall, Chinese and North Korean groups appear to increasingly pushing onto the global stage. While North Korea continues to focus heavily on its rival South Korea, ESET observed North Korea-aligned cybercriminal group DeceptiveDevelopment used job scams to target cryptocurrency and investment sector job seekers in Europe, resulting in a backdoor deploying on the victims' systems. Related:Surging Cyberattacks Boost Latin America to Riskiest Region China-linked threat actors are also increasing their activities against European and US targets, ESET's Lipovsky says. "China-aligned groups have really shifted their focus to a more global target set, and we've seen more and more attacks ... against Europe and the US," he says. "It's not to say that they're not interested in targeting Asian targets anymore — that still happens — but their focus has shifted more towards these global targets." Trend Micro's Hacquebord says the number of players in the region is also broadening. "Some of the developing countries, they are getting better and better at cyber campaigns, so I expect more actors to do offensive campaigns," he says. "There are lots of tensions going on in the APAC region, so I don't expect that the number of campaigns will go down." Read more about: DR Global Asia Pacific About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBER RISK Why Data Privacy Isn't the Same as Data Security by Chris Borkenhagen APR 10, 2025 CYBER RISK Nation-State Groups Abuse Microsoft Windows Shortcut Exploit by Alexander Culafi, Senior News Writer, Dark Reading MAR 19, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE