Hafnium / PRC-Linked Groups

China — Ministry of State Security (MSS) and affiliated entities

Mission Type

Strategic espionage, intellectual property theft, critical infrastructure pre-positioning for contingency operations

Primary Sectors

GovernmentTechnologyTelecommunicationsCritical Infrastructure

Operational Period

2009 – present

Attributed Cases

TTP Pattern Summary

PRC-linked groups demonstrate proficiency in zero-day exploitation of public-facing applications, mass exploitation campaigns, and living-off-the-land techniques for persistent access. Volt Typhoon's use of legitimate system tools to avoid detection in critical infrastructure networks represents the most advanced form of this approach. Groups routinely target cloud identity infrastructure and authentication mechanisms.

Initial Access (4)Defense Evasion (3)Persistence (2)Command and Control (1)Collection (1)Discovery (1)

Behavioural Signature

PRC-linked operations span a wide spectrum from targeted espionage (Storm-0558) to indiscriminate mass exploitation (Hafnium Exchange campaign) to strategic pre-positioning (Volt Typhoon). The willingness to shift from targeted to mass exploitation — and the Volt Typhoon pre-positioning pattern — distinguishes PRC operations from the more restrained SVR approach. Target selection reflects both traditional intelligence priorities and preparation for potential military contingencies.

Governance Footprint

Subject to the broadest multilateral attribution coalition to date (July 2021, including NATO's first attribution to China). Hafnium prompted the broadest international attribution coordination. Volt Typhoon generated the most significant Five Eyes joint advisory. PRC operations have driven major US legislative and regulatory responses including EO 14028 and proposed critical infrastructure legislation.