Over the past week, security experts at Check Point Research (CPR) have observed a drastic increase in cyber attacks on NATO countries originating from Chinese IP addresses.
The number of attacks on German companies and institutions has increased by 134 percent since Russia invaded Ukraine. It is unclear whether the attackers are actually based in China or are merely directing the attacks via servers there
The frequency of attacks “from China” before and after the start of the war in Ukraine was compared. On a weekly average, the number of attacks per organization was 72 percent higher than before the conflict. It must be taken into account that without evidence, no definitive attribution of the attacks to state or private institutions in China can be made. CPR only reports on the confirmed facts: it is clear that hackers use Chinese IP addresses for worldwide cyber attacks, which particularly affect NATO countries. However, it is unclear exactly where the perpetrators are located and to what extent the attacks actually come directly from China. However, it is striking that NATO countries are targeted much more often than other countries. Currently, the number of attacks on members of the defense alliance is even 86 percent higher than in the first three weeks of the conflict. For this purpose, data on the individual member states were also collected. If you look at the last week, Denmark has recorded the highest increase with 281 percent compared to the time before the start of the war. This is followed by the Czech Republic with 226 percent.
Germany has the third largest increase with 134 percent more cyber attacks than at the same time. The situation in the USA is surprising: here, the CPR researchers observed a 76 percent drop in attacks. In general, a trend can be observed from the data: states that became the target of hackers more often in the first three weeks tended to record an increase in attempted attacks in the further course.
However, various conclusions can be drawn from this development. From the data situation, it could be concluded, for example, that cyber attacks from China may be particularly cheap or easy to disguise. However, it is also possible that China is currently only a major hub of global data traffic. CPR will continue to monitor this trend in the following weeks, informing only about what can be seen in the data.