Capability Gaps as Targets: Forecasting Chinese APT Targeting Under the 15th Five-Year Plan

Verticals Targeted: Semiconductors, Artificial Intelligence, Cloud, Biotechnology, Healthcare, Critical Infrastructure, Telecommunications, Aerospace, Defense
Regions Targeted: US, Taiwan, Japan, South Korea, UK, Germany, France, Israel, Singapore, Australia

Executive Summary

China’s 15th Five-Year Plan (2026–2030) will drive PRC-aligned cyber operations toward sectors tied to technological self-reliance, including semiconductors, AI, biotechnology, and critical infrastructure. Activity will increasingly target supply chains, identity systems, and research ecosystems rather than only major enterprises. Likely operations emphasize credential access, cloud and MSP compromise, and long-term persistence in R&D and infrastructure environments. Countries leading in advanced technology development, including US, Taiwan, Japan, and key EU states, will face heightened and sustained targeting pressure aligned to identified capability gaps.

Key Takeaways

• PRC cyber activity will prioritize capability gaps identified in semiconductors, AI, and biotech.
• Targeting will expand to mid-tier suppliers and research ecosystems, not just major enterprises.
• Identity providers, cloud platforms, and MSPs will remain high-value access layers.
• Countries with advanced R&D ecosystems will face disproportionate targeting pressure.

Background on the 15th Five-Year Plan

China’s 15th Five-Year Plan, adopted March 12, 2026, prioritizes technological self-reliance, digital infrastructure dominance, advanced manufacturing, and defense modernization. PRC-linked cyber operations are likely to align with these objectives by intensifying targeting of semiconductor ecosystems, AI infrastructure, biotechnology, and critical infrastructure, with a shift toward supply chain access, identity-layer compromise, and long-term persistence in R&D environments. Targeting will disproportionately focus on countries leading in these sectors, including US, Taiwan, Japan, Germany, South Korea, and select EU states.

The 15th Five-Year Plan (2026–2030) establishes China’s national development priorities across economic, technological, and security domains. Core components include:

• Technological self-reliance: Advancing domestic capabilities in semiconductors, AI, quantum computing, and advanced materials
• Digital China expansion: Increasing the digital economy’s share of GDP and strengthening national data infrastructure
• Industrial upgrading: Modernizing manufacturing through automation, smart systems, and next-generation industrial software
• Strategic emerging industries: Prioritizing biotechnology, new energy, aerospace, and advanced computing
• Green development: Advancing energy transition technologies and efficiency
• Development-security integration: Aligning economic growth with national security and resilience objectives

These priorities function as a strategic collection framework, shaping how PRC-linked cyber actors select targets, prioritize access, and sustain long-term operations.

Forecasting APT Activity Based on Current Five-Year Plan Objectives

Semiconductor Ecosystem Targeting

China’s continued dependence on foreign semiconductor tooling, materials, and advanced node manufacturing will drive sustained cyber operations against the broader chip ecosystem. Activity is expected to shift toward less-visible upstream dependencies, including materials suppliers, chip packaging firms, and EDA environments.

Likely Actors

• APT41 (Wicked Panda)
• APT10 (Stone Panda)

Historical Justification

APT10’s Cloud Hopper campaign enabled access to global technology and manufacturing ecosystems via MSPs, while APT41 has leveraged software supply chains to reach high-value engineering environments.

Key Countries at Risk

• Taiwan (advanced fabrication, packaging)
• Netherlands (lithography, semiconductor tooling)
• US (EDA, chip design, advanced R&D)
• Japan (materials, photoresists, precision components)
• South Korea (memory, advanced manufacturing)

Forecasted Activity

• Targeting of semiconductor-adjacent suppliers and niche vendors
• Intrusions into design and simulation environments
• Credential harvesting within engineering networks

AI and Data Infrastructure

AI development remains constrained by compute access and dataset scale. Cyber operations will likely target both data acquisition and compute infrastructure layers.

Likely Actors

• APT41 (Wicked Panda)
• Silk Typhoon

Historical Justification

APT41 has targeted cloud-hosted environments and software ecosystems, while Silk Typhoon has demonstrated access to identity and SaaS platforms enabling downstream data access.

Key Countries at Risk

• US (hyperscalers, AI labs, model development)
• UK (AI research and academic institutions)
• Canada (AI research clusters, academia)
• Israel (AI startups, applied AI innovation)
• France and Germany (enterprise AI and industrial applications)

Forecasted Activity

• Targeting of AI startups, hyperscaler infrastructure, and GPU providers
• Access attempts against MLOps pipelines and dataset repositories
• Credential targeting of engineers and researchers

Biotechnology and Genomics

Biotechnology remains a priority sector with reliance on global research ecosystems. Cyber activity will likely focus on clinical, genomic, and pharmaceutical data acquisition.

Likely Actors

• APT41 (Wicked Panda)
• APT40 (Kryptonite Panda)

Historical Justification

APT41 has targeted healthcare and pharmaceutical sectors, while APT40 has historically focused on universities and scientific research institutions.

Key Countries at Risk

• US (pharmaceutical innovation, biotech firms)
• UK (genomics research, biotech startups)
• Germany (biopharma and research institutions)
• Switzerland (pharmaceutical leaders)
• Singapore (biomedical research hub)

Forecasted Activity

• Intrusions into biotech firms, contract research organizations, and academic labs
• Exfiltration of clinical trial data and genomic datasets
• Targeting of research collaboration platforms

Critical Infrastructure Pre-Positioning

The integration of development and security priorities will sustain PRC interest in foreign infrastructure, with a focus on access and persistence rather than immediate disruption.

Likely Actors

• Volt Typhoon
• UNC3886

Historical Justification

Volt Typhoon has maintained stealth access across US infrastructure sectors, while UNC3886 has demonstrated deep persistence in network and virtualization environments.

Key Countries at Risk

• US (critical infrastructure breadth and global role)
• Australia (strategic positioning in Indo-Pacific)
• Japan (energy and industrial infrastructure)
• India (rapid infrastructure expansion)
• UK (critical services and connectivity hubs)

Forecasted Activity

• Continued compromise of energy, water, and transportation networks
• Exploitation of edge devices and OT systems
• Maintenance of long-term persistence mechanisms

Digital Infrastructure and Identity Systems

Control over identity systems and data flows is central to Digital China. Cyber operations will focus on authentication layers and enterprise control planes.

Likely Actors

• Salt Typhoon
• Silk Typhoon

Historical Justification

Salt Typhoon has targeted telecommunications providers to access communications data, while Silk Typhoon has compromised identity systems to enable downstream access across enterprise environments.

Key Countries at Risk

• US (cloud providers, identity platforms)
• UK (telecom and enterprise SaaS)
• Germany (enterprise infrastructure and industrial IT)
• South Korea (telecom and mobile infrastructure)
• UAE (regional data and telecom hub)

Forecasted Activity

• Targeting of telecom providers, IAM platforms, and SaaS ecosystems
• Pivoting through MSPs and enterprise service providers
• Emphasis on identity-layer persistence

Defense Industrial Base and Space Systems

Military-civil fusion will continue to drive targeting of defense and aerospace ecosystems, with emphasis on integration and supply chain access.

Likely Actors

• APT31 (Judgment Panda)
• APT27 (Emissary Panda)

Historical Justification

APT31 has targeted government and policy entities tied to defense strategy, while APT27 has conducted espionage against defense contractors and exploited exposed systems.

Key Countries at Risk

• US (defense innovation and space systems)
• France (aerospace and defense manufacturing)
• UK (defense R&D and intelligence integration)
• Israel (defense technology and cyber capabilities)
• Japan (defense modernization and aerospace)

Forecasted Activity

• Reconnaissance of contractor portals and supply chains
• Targeting of satellite communications and aerospace systems
• Access to logistics and operational planning data

Threat Actor Profiles

Below are profiles of APT groups assessed as most likely to engage in targeting aligned with intelligence collection priorities outlined in the current Five-Year Plan:

APT41

APT41, also known as Wicked Panda, Barium, and Winnti, is a China-linked cyber espionage group active since at least 2012. The group conducts both state-sponsored espionage and financially motivated operations, frequently leveraging supply chain compromises, software backdoors, and credential harvesting to access enterprise environments. APT41 exploits vulnerabilities in public-facing applications and deploys malware such as Winnti and ShadowPad to maintain persistence. The group targets healthcare, telecommunications, gaming, software, and manufacturing sectors across the US, Europe, and Asia. US authorities have linked APT41 to individuals associated with the Ministry of State Security, indicating alignment with Chinese state intelligence objectives.

APT10

APT10, also known as Stone Panda and MenuPass, is a China-linked cyber espionage group active since at least 2009. The group is known for large-scale campaigns targeting managed service providers to gain downstream access to client networks, most notably during the Cloud Hopper campaign. APT10 uses spearphishing, credential harvesting, and malware such as PlugX to establish persistence and exfiltrate sensitive data. Targets include technology, manufacturing, and government sectors across the US, Europe, and Japan. The group has been attributed by multiple governments to the Ministry of State Security.

APT40

APT40, also known as Kryptonite Panda and Leviathan, is a China-linked cyber espionage group active since at least 2013. The group focuses on maritime industries and scientific research, using spearphishing, web shells, and exploitation of vulnerable web applications to gain access. APT40 targets universities, research institutions, and maritime organizations across the US, Southeast Asia, and Europe. Operations are often aimed at acquiring intellectual property and research data. The group has been linked to the Ministry of State Security, including regional MSS elements.

APT31

APT31, also known as Judgment Panda and Zirconium, is a China-linked cyber espionage group active since at least 2010. The group conducts espionage operations against government and defense-related entities, using spearphishing, zero-day exploitation, and malware deployment. APT31 has targeted government agencies, defense contractors, and policy organizations across the US and Europe. The group has been associated with the Ministry of State Security and supports political and strategic intelligence collection.

APT27

APT27, also known as Emissary Panda and LuckyMouse, is a China-linked cyber espionage group active since at least 2010. The group uses web shells, credential theft, and exploitation of internet-facing applications to gain and maintain access to target environments. APT27 targets aerospace, defense, and government sectors across the US, Middle East, and Asia. The group has been linked to the Ministry of State Security.

Silk Typhoon

Silk Typhoon, also known as Hafnium, is a China-linked cyber espionage group active since at least 2020. The group is known for exploiting vulnerabilities in enterprise and cloud environments, including Microsoft Exchange servers, to access email systems and sensitive communications. Silk Typhoon uses web shells, credential harvesting, and identity-based access techniques to move laterally within networks. Targets include government entities, think tanks, and organizations across the US and Europe. The group has been linked to activity associated with the Ministry of State Security.

Salt Typhoon

Salt Typhoon, also known as RedDev, is a China-linked cyber espionage group active since at least the early 2020s. The group focuses on telecommunications and network infrastructure, targeting telecom providers to access communications data and metadata. Salt Typhoon uses credential theft, network device exploitation, and persistence within core infrastructure environments. Activity has been observed against telecommunications sectors in the US and allied countries. The group is assessed to operate in alignment with Chinese intelligence objectives associated with the Ministry of State Security.

Volt Typhoon

Volt Typhoon is a China-linked cyber espionage group active since at least 2021. The group specializes in maintaining persistent access within critical infrastructure environments using living-off-the-land techniques, credential abuse, and minimal malware to evade detection. Volt Typhoon targets sectors including energy, water, transportation, and communications, primarily in the US. Operations emphasize long-term access and persistence rather than immediate disruption. The group has been linked by US government agencies to Chinese state-sponsored activity aligned with the Ministry of State Security.

UNC3886

UNC3886 is a China-linked cyber espionage group active since at least 2022. The group specializes in targeting network infrastructure and virtualization environments, exploiting vulnerabilities in network devices and hypervisors to gain access. UNC3886 deploys custom malware and uses credential manipulation to maintain persistence, including techniques that enable firmware-level access. The group targets defense, telecommunications, and technology sectors globally. Activity has been assessed as consistent with Chinese state-sponsored operations aligned with strategic intelligence objectives.

Analyst Commentary

The adoption of the 15th Five-Year Plan reinforces a consistent pattern in PRC cyber operations: targeting aligns with strategic capability gaps rather than opportunistic access. Over the next 12–24 months, activity is likely to shift further toward:

• Innovation ecosystems over traditional enterprises, including startups, academic institutions, and joint research environments
• Access layers over endpoints, particularly identity providers, cloud platforms, and MSP infrastructure
• Long-term positioning over immediate exploitation, enabling optionality in both economic and geopolitical contexts

Additionally, targeting will increasingly reflect geographic specialization, with PRC actors focusing on countries that dominate specific technological or industrial domains. China’s cyber operations should be understood as a globally distributed collection strategy, optimized to extract capabilities from leading nations across each priority sector.

IOCs

PolySwarm has multiple samples associated with the threat actors profiled above. Below is a selection of hashes of recent samples:

APT41

d5badcdad0f3eb4ca88ab61353f2e1f89e87f3377a9da0b759ba3e0b651bd0b9

f801813c074568915cde62f383441f39f231409db007a97104795977dc1d4baa

e5e475db5076e112f69b61ccb36aaedfbb7cac54a03a4a2b3c6a4a9317af2196

bbd1b8c874b82c8d36288377afa25bb8f05680a8872cf1a3178e4869b2843cda

4fa53cbde78cfda816c2ab1ba473e9dec414c70134aac9df9dba1dd61916266d

619c185406e6272ba8ac70ad4c6ff2174e5470011c5737c6c2198cd69d86ec95

18ccb12e8fa5bf1c6e4afb975b082871f5b68b8a922110c5803fc1350ec097df

6b404b64437388afb764e749134c483c3ef0a207dffd87fe723c2d84e22249a7

99484b9c488c351f59792370d9bd832f1f1cc490d2619cf628f00ebd50ce4267

ab5a169e8c75586fe8a44ec8f15de566ff7e1a36e53673b7567cc28352714086

APT10

f42dde3dfea7105ee6dfb7155a70687e61a3dd7a7bee3f20b47e73872bbfd1ea

9930770fff456c99f6878b74d94127beba33fc6d268ff0487c05a9b6b3fdd588

79d2d31df3f5feb0873508107f88db998ddd06f3ed34c973dd4abaa7c793fb19

9c757ed7d5feab613281d46d5abcd24660ecaa25a7ef69a5f03d6853ce77b781

fe86523d354bc5c4c12b78a6954b964a70970ae2eee90cf349e1037cd15880dd

5e40a65f66f8cdfcb60262ac64e1a5d5103d5633676b3da0bc5ec7bd348bbeaa

03c550a35e489efed44192595982cf6cba9c078cf56c142bb7126884124f4085

d809e82380bcf40de331b54ead81e9c323e1e81bbb518f0be36851c004115732

daa48c0a66af686c2c00896d6b3c9a93f76f52c889204b4e2d9a87aa82cb0b3f

68edd7440d3f965f1ed8a4fec5825ca992f921101d4313d22b48a32dceacd210

APT40

2681af2e5388e30abd3eabb2a92cd124f7992e099d11af049b39841a64c3f710

3a959f5c199ed7be9c7d83fa8bb66a62eb281e52e542ed28efeb1c1a488bc925

986b4e58f01875326daad9ab1630537f025774f89e45fb16469b82e63d3d0bb8

73db82376554d6f5e76b755a0ac4883bd01eceaeba966a963c42a53ee4caf4e3

b0df0ea0e6d0ec780155b5f369d0500bee923deb3293b2fe74ea7637e5f9b416

d5bde2a0c304bde679d4f49d6495af54560984d0eeef24c9f5fe7a15a24b6415

d551e20aaf6d49152515e7b3d2fc61d3727a1c3ecbdd281f774c3ac6def3b45f

74a42b67f002b7be803229b42bdc57fdfcd78530216904b2223cb0747b7e146b

37e4d15e86dc139e8f67a42efb95ec3011e37c0f8bfd7a32460957ebcd0efa57

bebf7b42a8e1286c0d7e3299fedafcdd44e2b7cb1ff4cd3334d0739084c5ab89

APT31

e6bed7c5263e152880d78ae8e438715a4903d3cdca0aa774d751417187f4ee55

12aa6c9e6b4971c465c0239aa307e7929f16f62bb1f08a1e8754ec6cbefb5bf6

785ef2af2e251a48f72223179f28e2794dbd7fefb7a0004a95580e0d3c828159

af898b855a4d8444ca2de9b9878ea25502b8986edaaacc7531f9fbfca04f594d

3775062f22fb0c3a9df310215bb4a3d0c6ad3fcb63f93e493930f0f6dd9804c4

ea69735398f67c11c41f5d852e085d46cda1555b0c051cfa9d14d7afddc11a90

a473680ead4089792af6a7f2bac41e9a0a85ff417941433d832b601aac279dcd

71ca0f0055909ba0428f10e7d64944023287b72b00f19c2b3e453a9e05a84a17

e3bb26904c72972df4ef1624490b2273bf1718cbf8c4e3a9aaa89ba20082dce2

0229c1a8bdb76d9e28ec953d69b8604ebfed25358c108cedb9941c18f96028cf

APT27

14bfa1a4eec7d6cde85fb10a1125110f3a0940d323c6a671c900a96dd17c945b

5f4c6feb2668caff0c8302fb31e49a1679bbe48b4e03572960b9e48d792e6cbe

af30a671ec2dda1660f9920ab4466f87fecd82100109efb19cbf570b4e31c643

324cba5877cb40e8348c6608090848f3525892c4daa36de66aac2bb8ca60e94c

c7a106ee3ef8903fdb88e146aa8f7205467ebd246bfa859cb4df87ff197659dd

ffec661644eef1468314e81020fa00d6eaede1494d0b142918b4b6b6f8028aad

6d300ba289bb54f090ac3f9c101b4726684b8ee47b9e71a331f091ec6130bdfd

bbddc939988d62991c9a2a9dda925a63c6fb71deb438ec127a9fb36fb6e3bedb

aa631181335ca37a49ff03a69a0aef3970d38526fb094d8e864718cdc310a410

7dc71f1b150b2b117f65132f7899ff4f80f474ac0c8b946f29a993d8a2fc2e39

Silk Typhoon

cb2ad24fd38ffc675ddf0124f7222aa35ecafb5118bc48ef17e40fd1bd5562b8

26fc07b9b271f4d49c13ecbefdddb111699a99c0449a4bd0b61763c6bbaa1b38

0531c644eb59c45ec6a8e96e082acbe0f3471dc5ee48e03b2e4fa6e75aad9399

4e7ee95459426c2528c3575a58453f1380717a3fba235a8c12939f855cd4a802

d20121e77b2856c659f59ead4a15a040bf4b16c122de85729d45c0cc03303af5

fee74923e5a070af87a7656d5e2990b96ff5fcfac1205d92db43b0b432da265b

d1280566b5b9ab2df7c3cffe577f4400845ed78276b5b6a57f6eb58f4664251b

65f5de8f068536d4e875f1788953efe7a1d257fc63c224ed7a87d9b356fe418f

687325dfaeb1465ade9e995f0d8fc8766223f252322b87607366d9e2b8c67210

a88b66163dd571014aaa756c4ff5be43dbf2fbd4af6ee2fffbcfdc2156f4b638

Salt Typhoon

2218a4eab8c2742b3f88a4bc6eccdd2f588bf0aadeb877ba7dc4b5d3858d0cc9

265aec7eae36fb2ae7198433bd1bd443926f83e3be6fe876a869cddabbea30dd

63398cd3875f8d508be1564f6e1b1a349e2359c588c0be7c09b5b3b265a0d322

21069ed85dd33e220c49abc8a248e3e582d659852b9bceed43fe489c07410279

ac53b2c692ee3ca5ef1ef8dea7961498f483c553ed1084443e007bb13a51adab

ac0b09173d7d391656d89f1236ec3d63cf6c2313d293c07bdddd8d790c899d51

67ffe0274cd9a227944e809dcafb0f9ecda9d62b69d3b55d2152ce5ad522bf1e

b4357efe15294a6804c88fa918ae8584a1ddedd35c1b08816cf619e6cd7d9f2c

c3b728ac8f17dddac4cfb5a58ab43d519c097d56b1f6cb190659349f7df27fab

ea0ec8c3ae0cc8494028e8166d932fd0f06700ef3c0788e4bd73b3c626a96491

Volt Typhoon

8919034ae60e81654cfe314eaffe7cde309067c8f338b8a46e0df908ae20ddf0

9282d88ad34baac17d0e84a23d68fcfc232e3e0386a9cd0682b29f3c40b7158f

15dd0b89b55c2f75da86c3d8c6bcb09eaf4ecf34efee2e56c23f1016cba3f424

cbad7dd7dfeb40e39ce6c7d469a76e09d48b3fe761a1a9524a91d2166a547988

618f956858949cfb46bcd72876dd1edebd638d5be874133e98e665db8d56a162

6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff

3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642

8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2

e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95

88fc3816c94f9b0191179f4e933843ee4cfdbcb392968605491a387b1235ec12

UNC3886

fd5d24abd0037cb830261b6ed4d8cd0e61ff35990938fae222b8aa403ecd6f72

c7b719a29a2f640387a9e39864b577e0df7bba02d12879a233bdd1ce8098260d

c2f8ca1961eaf119399d3ab98e51f33fe6b7309152b959ee64fcc41192202fa6

5924fa8bcb93c134be1c73baf38537dba6aba646927a6c521a9558cce7747e7b

e77c6cc4b92d09d6fbcfec9585f693f8376c6640b58072c711966d40ccb9c49e

06277af09be9dbf86ab4599a38babc5007d4ac8adaff6b88584c2c58e6f73138

a004aa39d6c1ffc1b5e8a4dd716800dd8a41639b478d5d00f64954201e5e1321

445682c998ee8c3ef4831f390184fffb89abef4f0621d65db12e54ba5da09be8

2b04c62b0a26f76b578545ccb2f023ec30a212835c9a219898a3c516d64e89ed

c985e32cf84c70b1b47b6b7f0752d6868e7f643df89e7bdd3269e12fda8fed09

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.