China’s cyber operations have evolved far beyond what most people imagine when they picture a state-sponsored hacker.
Instead of lone government agents breaking into servers, the country now runs an intricate web of private companies, contractors, and data brokers that collectively carry out espionage on behalf of its intelligence services.
The scale and sophistication of this ecosystem have surprised even seasoned security researchers.
At the center of this network are private technology firms that develop and sell hacking tools, build botnets, steal data, and resell access to government clients.
Operations attributed to groups like Salt Typhoon, Flax Typhoon, and Volt Typhoon reveal how Chinese state-sponsored campaigns now depend on a thriving commercial layer to function.
These private players supply everything from malware and network infrastructure to raw stolen data, turning cyber espionage into a marketplace.
Analysts at BindingHook identified a new framework for understanding these operations, calling it “composite responsibility.”
Rather than assigning an entire campaign to one APT label, this model recognizes that a single operation may involve multiple entities, each playing a distinct role and bearing a different level of responsibility.
BindingHook said in a report shared with Cyber Security News (CSN) details how the US and its partners attributed Salt Typhoon, one of the most damaging cyber espionage campaigns against Western telecommunications infrastructure, to at least three China-based private firms.
These companies reportedly provide cyber-related products and services to China’s intelligence services, with the UK’s NCSC stating they “enabled” the activity. Yet as of mid-2025, the tasking relationships and specific roles of these firms remain largely undescribed publicly.
The leaked internal documents from I-Soon, a Chinese private contractor tied to the Ministry of State Security and Ministry of Public Security, offered a rare window into how this model works.
I-Soon employees conducted intrusions as contractors, fed results back to government clients, and managed campaigns targeting at least 14 governments.
The leak confirmed that Chinese cyber operations are not monolithic but layered, commercially driven ecosystems.
Chinese Cyber Contractors Use Malware, Botnets, and Stolen Data
Private-sector entities in China have become the backbone of state-sponsored hacking campaigns, supplying tools, infrastructure, and stolen data to government buyers.
The privately developed ShadowPad backdoor was sold to multiple suspected PLA units, including RedFoxtrot and Tonto Team, and shared with entities like Chengdu404, whose staff were charged for activity attributed to APT41.
This shows that responsibility can extend to the company that commercialized malicious software, not just the hackers who deployed it.
The Raptor Train botnet, disrupted by the United States, offers a clear illustration of this contractor model.
It was attributed to Chengdu-based Integrity Technology Group, found responsible for developing the botnet and therefore held partly accountable for intrusion activities attributed to Flax Typhoon.
Both the US and UK governments sanctioned Integrity Tech for controlling a covert cyber network and providing technical assistance to those conducting attacks.
Data brokering adds yet another layer to these operations. Individuals linked to APT27, including Yin Kecheng and Zhou Shuai, conducted hacking campaigns and then sold stolen data to multiple customers, some of which were Chinese government entities.
In some cases, data stolen by Yin was resold through i-Soon, introducing additional resale layers between the original intrusion and the end consumer.
Strengthening Defenses Against These Threats
Security teams facing these layered threats should begin by mapping all network-connected devices and developing a clear understanding of normal traffic patterns.
Using multi-factor authentication, restricting access through allowlists, and adopting zero-trust architectures are all recommended steps for organizations at elevated risk. Real-time threat intelligence feeds can help defenders identify botnet activity before it enables a larger intrusion.
For high-risk environments, authorities advise actively hunting for suspicious traffic from consumer-grade devices such as SOHO routers, since these are commonly enrolled into covert networks.
Organizations should monitor network traffic flows to detect unusual behavior patterns that could indicate hidden infrastructure.
Applying network segmentation and deploying host-based intrusion detection systems further limits the damage an attacker can do once inside.
