Synopsis

1. Former head of the NSA warns that the PRC is hacking critical infrastructure.
   During the last two weeks, reported PRC hacker activity included: attacks on a Serbian aviation agency; reworking legitimate monitoring tools into malware; hacking law firms; a new espionage campaign; a campaign that compromised ArcGIS (map servers); and the breach of a Russian IT service provider.
   A Beijing research company has been identified as a front for PRC State Security. PRC researchers are using artificial intelligence to enhance mass surveillance capabilities.
   Russian hackers also remain active: Romania published a report on Russian hybrid attacks; Russia has tripled its cyberattacks on Poland; and pro-Russian hackers marked October by increasing their operations.

2. Assessment:
   We assess that the three major cyber conflicts — Russia vs. Ukraine, Iran vs. Israel, and the People’s Republic of China (PRC) — are currently the most likely sources of next-generation malware and primary cyberattacks.
   This includes government-funded hackers (military, intelligence, and civilian employees), affiliated hackers (criminal or mercenary groups), and volunteer supporters.

How Severe Is the Cyber Threat from the People’s Republic of China?

3. Warning from Former Head of the NSA
   Speaking to CBS 60 Minutes, retired U.S. Air Force General and former head of the National Security Agency (NSA) Tim Haugh described the PRC’s penetration into American critical infrastructure.
   He warned that the PRC is infiltrating as many networks as possible to position itself for coercion in the event of a major conflict.

   Analyst’s Comment: This is a must-watch (13½ minutes). Our tracking indicates that the PRC is targeting virtually every nation, including those it considers allies or friends. The General’s warning applies globally, especially to Western nations the PRC perceives as hostile or competitive.

   Source: CBS News — “China hacking U.S. critical infrastructure,” 60 Minutes (2025)

4. General Haugh inferred that PRC hackers target everything — from stealing intellectual property (IP), to acquiring personal information, to gaining access to critical infrastructure.
   The following newly discovered PRC activities from the last two weeks support this assessment:

   • PRC Hacking Campaign Targets Serbian Aviation Agency.
     Multiple cybersecurity firms have traced attacks on Serbia’s aviation agency to PRC state-backed actors. The malware tools used are almost exclusively associated with PRC hackers. “Further analysis uncovered similar malicious activity in Hungary, Belgium, Italy, and the Netherlands.”

   • More ‘Fronts’ for PRC State Security Identified.
     Researchers from the Insikt Group linked several PRC organizations to the Ministry of State Security (MSS). They assess that “The Beijing Institute of Electronics Technology and Application (BIETA)… and its subsidiary, Beijing Sanxin Times Technology Co., Ltd. (CIII), research, develop, import, and sell technologies that almost certainly support intelligence, counterintelligence, military, and other missions relevant to China’s national development and security.”
     Activities include research in steganography (for covert communications and malware delivery), forensic investigation, counterintelligence equipment, and foreign technology acquisition for network penetration and military communications.

     Analyst’s Comment: In plain terms, these organizations develop tools to hack networks, telecommunications, and conceal malware.

   • PRC Hackers Rework Monitoring Tool into Malware.
     Cybersecurity firm Huntress reports that PRC hackers have repurposed a legitimate open-source monitoring tool, Nezha, to deliver the Gh0st RAT malware.
     “This allowed the threat actor to control the web server using ANTSWORD before deploying Nezha, which enabled remote command execution. The intrusion likely compromised over 100 victim machines, mostly in Taiwan, Japan, South Korea, and Hong Kong.”

   • PRC Targeting Law Firms.
     Washington D.C.–based firm Williams & Connolly confirmed that state-sponsored hackers breached parts of its systems and accessed attorney email accounts.
     The firm represents high-profile political figures and corporations including Barack Obama, the Clintons, Intel, Samsung, Google, Disney, and Bank of America.
     The New York Times reported that Chinese hackers also targeted several other law firms. The breach was reportedly limited, with no client data confirmed stolen.

   • New PRC Espionage Campaign.
     A series of spear-phishing campaigns across North America, Asia, and Europe have been linked to PRC group UTA0388.
     The phishing emails originated from fabricated but convincing “research” organizations, targeting legitimate researchers and academics.
     The associated malware, GOVERSHELL, appears to be designed for long-term cyber espionage.

   • PRC Using AI to Automate Surveillance.
     OpenAI has banned ChatGPT accounts linked to PRC activity. These actors attempted to use AI models to plan AI-powered surveillance and phishing operations.
     “One China-linked cluster used ChatGPT to draft phishing lures, then turned to DeepSeek to automate mass targeting.”
     Similarly, suspected Russian accounts used ChatGPT to generate video scripts for an influence operation called Stop News, later posting AI-generated videos on YouTube and TikTok.

   • PRC Hacking Group ‘Flax Typhoon’ Exploits ArcGIS Servers.
     ReliaQuest researchers report that Flax Typhoon modified a legitimate ArcGIS Server Object Extension (SOE) into a web shell, granting persistent and covert access.
     By exploiting ArcGIS’s extensibility and avoiding signature-based malware detection, the group maintained access even after system restorations.

   • PRC Hackers ‘Jewelbug’ Breach Russian IT Service Provider.
     The attackers infiltrated build systems and code repositories, setting the stage for a potential software supply-chain compromise.
     They targeted high-value assets such as source code and proprietary updates, indicating espionage-focused objectives.

5. Analyst’s Comment:
   The scale and persistence of PRC hacking defy conventional Western logic.
   For geopolitical context on the PRC, we recommend reviewing SAC Notes — part of Dispatches published periodically by the Royal United Services Institute of Nova Scotia (RUSI NS).
   To subscribe: RUSINovaScotia@gmail.com

Russia

6. Romania Documents Russian Hybrid Attacks.
   President Nicușor Dan presented a report titled “Analysis on the Hybrid War Waged by the Russian Federation Against Romania” to European leaders.
   The report concludes that an extensive Russian disinformation infrastructure has operated since 2022 to create anti-system sentiment, influencing key events such as the 2024 presidential elections.
   This infrastructure spans four levels: cyberattacks, covert destabilization, political subversion, and propaganda.
   In 2024 alone, Romania faced 27 million cyber events, including 85,000 attacks during the elections.
   Credentials of electoral staff were compromised and leaked on Telegram and hacker forums. Russian actors also attempted to take control of 10,000 surveillance cameras across five countries, including Romania.

7. Russia Has Scaled Up Cyberattacks on Poland.
   Poland’s Minister of Digital Affairs, Krzysztof Gawkowski, stated that Russian military intelligence has tripled its resources for hostile operations against Poland in 2025.
   Poland identified 170,000 cyber incidents in the first three quarters of the year, with roughly one-third attributed to Russian actors.
   National systems face 2,000–4,000 daily incidents, of which 700–1,000 are serious enough to require immediate response.

8. Pro-Russian Hackers Mark the Anniversary of the Ukraine Attack with New Strikes.
   Radware data reveals that between 6–8 October 2025, over 50 DDoS attack claims were posted online — 14 times the daily average in September.
   Most attacks lasted under 20 minutes, suggesting symbolic intent rather than sustained disruption.
   Targets included government portals, financial institutions, and e-commerce platforms.