China cyber espionage surge driven by AI deception tactics

The latest research from CrowdStrike highlights a significant surge in China-linked cyber espionage, with a notable increase in AI-generated social engineering tactics.

CrowdStrike's 2025 Global Threat Report details the escalation of state-sponsored cyber operations by China-linked networks, which have intensified by 150% over the past year. Particularly affected industries, including financial services, media, and manufacturing, experienced surges in targeted attacks of up to 300%.

The report outlines the growing trend of weaponised artificial intelligence in cybercriminal activities. The use of AI-driven deception has been exploited by global adversaries, resulting in a sizeable 442% rise in voice phishing, or "vishing", from the first to the second half of 2024. This increase demonstrates how sophisticated groups, such as CURLY SPIDER, CHATTY SPIDER, and PLUMP SPIDER, employ these tactics to steal credentials and evade detection.

Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, commented on the findings: "China's increasingly aggressive cyber espionage, combined with the rapid weaponisation of AI-powered deception, is forcing organisations to rethink their approach to security. Adversaries exploit identity gaps, leverage social engineering and move across domains undetected—rendering legacy defenses ineffective. Stopping breaches requires a unified platform powered by real-time intelligence and threat hunting, correlating identity, cloud and endpoint activity to eliminate the blind spots where adversaries hide."

Another significant aspect of the report is the trend towards malware-free attacks, which now represent 79% of initial access intrusions. Attackers are increasingly gaining access through compromised credentials, allowing them to appear as legitimate users and move through systems with hands-on keyboard methods, largely undetected.

In 2024, CrowdStrike identified seven new China-nexus adversaries contributing to the uptick in cyber espionage activities. This reflects a broader strategy to intensify efforts against critical global industries.

Report findings also indicated that break-out times in 2024 reached unprecedented speeds, with the average eCrime breakout time reduced to 48 minutes, and the fastest documented occurrence being a mere 51 seconds. Such speed in executing attacks leaves defenders with minimal opportunity to respond effectively.

Furthermore, cloud environments are increasingly at risk, as new and unattributed cloud-based intrusions rose by 26% year-on-year. Valid account abuse remains a primary initial access method, accounting for 35% of cloud incidents in the first half of 2024.

The vulnerability of systems due to unpatched entry points is a critical concern, as indicated by the data revealing that 52% of vulnerabilities connected to initial access were related to unpatched systems. The report emphasises the importance of securing these entry points to prevent adversaries from establishing persistent access.

This comprehensive threat analysis from CrowdStrike underlines the complex and evolving landscape of cyber threats, highlighting the need for robust, integrated security measures to address the challenges posed by increasingly sophisticated adversaries, particularly those leveraging new technologies and methods.