We should stop pretending China’s cyber operations are occasional nuisance hacks. They are patient, coordinated intelligence collection efforts that systematically build access, map networks, and harvest credentials long before a single headline. The patterns visible up to early September 2023 point to the types of precursor activity that presage large, strategic campaigns against U.S. agencies and communications infrastructure.
First, the supply chain and managed service provider vector. In campaign after campaign China-linked groups have targeted third parties that hold broad access to many victims. The Cloud Hopper/ APT10 operations exposed in 2017 are the textbook example. Compromise of MSPs and cloud vendors gives an attacker lateral reach into dozens or hundreds of organizations without having to breach each one individually. Any program that later seeks telecom-scale visibility or systemic espionage will look to the same supply-chain and MSP shortcuts.
Second, exploitation of ubiquitous, trusted software and network appliances. The 2021 Exchange Server intrusions attributed to a China-based actor show how quickly adversaries can weaponize unpatched enterprise services to take and maintain access to email and identity material. When nation-state actors can turn a widely deployed service into a global foothold, the result is a rapidly scalable espionage capability. That is the kind of technical lever an actor will exploit before attempting deeper or broader collection operations.
Third, reconnaissance and credential harvesting from the network edge. Recent incident reporting in 2023 documented techniques where operators pivot through small office and home office routers and use credentials harvested from legitimate network appliances to sign in as valid users. Using living-off-the-land commands, credential dumps, and proxying through compromised edge devices lets an operator blend in and persist while mapping downstream targets. Those behaviors, subtle on their own, are clear early warning signs of a campaign aiming to capture communications metadata and cross-system access.
Fourth, targeting of personnel and long-tail data stores that yield intelligence value. The Office of Personnel Management compromise from 2015 remains a reminder that biometric and clearance-related datasets are prime targets because they provide deep counterintelligence payoff. Stealing credentials, background investigations, or contact networks lets an adversary identify insiders, leverage social engineering, and shape long-term HUMINT and technical collection operations. Such breaches are a strategic precursor to operations that seek political or operational insights inside government.
Fifth, dual-use campaigns that prioritize stealth and future disruption. By mid-2023 we had public reporting of China-linked actors focused on critical infrastructure and communications, conducting hands-on-keyboard discovery and credential theft with an eye toward maintaining undetected access. That posture is not just for immediate data theft. It is deliberate groundwork to enable future options, including large-scale collection, influence, or even disruption when geopolitics demand. These slow-burn campaigns reveal intent through technique: minimal noisy tooling, prioritized credential and configuration theft, and careful lateral mapping.
What to watch for now. If you are defending an agency or a telecom operator, the practical precursors to prioritize are: evidence of MSP or vendor compromise, unusual administrative sign-ins originating from residential or SOHO IPs, discovery commands executed under legitimate service accounts, exfiltration staged via password protected archives, and indicators that core routing or network management devices have been used to proxy traffic. Each on its own may look mundane. Together they form the footprint of a campaign building systemic visibility.
Hard decisions that follow. Agencies must assume compromise at trusted third parties. That means enforce least privilege, require multifactor authentication everywhere, rotate and revoke credentials tied to network appliances after any anomalous event, and segment management planes from production traffic. Telecom and infrastructure operators must reduce exposed management interfaces on edge devices and treat SOHO-proxied traffic as suspicious when it touches critical systems. Rapid, coordinated disclosure and response across government and industry remains the only practical path to blunt these patient adversaries.
Bottom line. China-linked cyber actors have demonstrated a playbook that favors broad, low-noise access over dramatic single-point knockouts. The precursor signs are not exotic. They are the same security failings and behavioral patterns defenders can hunt for today. Ignore them and you hand the adversary the farm long before anyone realizes what was taken.