Cyberattacks attributed to China’s government are soaring while threats powered by GenAI and manually executed hacking are growing rapidly as well, according to the cybersecurity giant.
Cyberattacks attributed to China’s government are soaring while threats powered by GenAI and manually executed hacking are growing rapidly as well, according to findings from cybersecurity giant CrowdStrike released Thursday.
While CrowdStrike’s 2025 Global Threat Report provided new insights into a range of threats and malicious actors, the report pinpointed China as the major threat actor to be watching for in the immediate term.
[Related: CrowdStrike’s Adam Meyers On ‘Up-Leveled’ Hacking By China, Threats To MSPs]
“China is, I think, the story that everybody needs to be focused on right now,” said Adam Meyers, head of counter adversary operations at CrowdStrike, during a recent call with media on the report.
What follows are five of the biggest takeaways from CrowdStrike’s 2025 Global Threat Report.
Focus On China
CrowdStrike observed a major surge in attacks connected to the Chinese government in 2024, with intrusions by China-nexus adversaries up 150 percent from the year before, according to the report.
Targeted sectors included financial services, media and manufacturing, as well as industrials and engineering — all of which saw between a 200-percent and 300-percent spike in intrusions in 2024, CrowdStrike reported.
The “scariest” aspect of the situation, Meyers told reporters during the recent call, is that “after decades of investment into China’s offensive capabilities, they’re now on par with other world powers.”
“China has really gone from the smash-and-grab kind of chaos of the early 2010 timeframe to now [where] they are really a fully functioning, offensive cyber capability,” he said. And ultimately, “they’re driven by political ambitions.”
In addition to threats from the theft of intellectual property, certain China-linked groups also pose a threat to critical infrastructure, Meyers said, pointing to threat actors such as the group tracked as Volt Typhoon / Vanguard Panda.
Vanguard Panda has been “targeting critical infrastructure of logistical networks related to maritime operations, related to air transportation and intercontinental travel,” Meyers said — which is a particular concern amid the ongoing potential for a conflict with China over Taiwan.
GenAI-Driven Threats Increase
CrowdStrike’s findings related to GenAI-powered attacks included a surge in voice phishing in 2024, with such attacks jumping 442 percent during the second half of the year compared to the first half.
The report also highlighted 2024 academic research showing that emails generated using Large Language Models saw a 54-percent click-through rate, versus just 12 percent for a human-composed email.
Meanwhile, Iran-based threat groups have been particularly aggressive in utilizing GenAI including for vulnerability research and development of exploits, according to CrowdStrike.
At this point, there’s no doubt that GenAI “really lowers the barrier for entry to conducting effective cyberattacks,” Meyers said.
Rise Of Hands-On-Keyboard Attacks
Even with the increased usage of AI, however, manually executed cyberattacks are also growing in popularity, according to CrowdStrike.
Such hacking activity, referred to as “hands-on-keyboard,” does not use malware and thus is far harder to detect. “If you stay just [with] hands-on-keyboard, you look like a user,” Meyers said.
In 2024, 79 percent of detections tracked by CrowdStrike did not include malware, suggesting that attackers were carrying out the attacks manually, according to the vendor’s report.
Access Brokers, Identity-Based Attacks Expand
The threat actors that provide initial access to an environment — known as access brokers — have also been far more active of late, according to the CrowdStrike findings.
Access broker advertisements touting available access to compromised environments were up 50 percent in 2024 from a year earlier, the vendor reported, in a major factor responsible for the intensifying threat environment.
Increased activity from access brokers is undoubtedly a “major driver” behind the continued expansion of identity-based attacks, CrowdStrike said in the report.
Cloud Threats Climbing
While attacks targeting the cloud have been expanding for a number of years now, 2024 saw some particularly troubling signs in this area, according to the CrowdStrike report.
For instance, cloud intrusions considered to be new and unattributed grew 26 percent during the year over 2024 — “indicating more threat actors seek to exploit cloud services,” the company said in the report.
Key “cloud-conscious” tactics employed by threat actors included gaining initial access through valid accounts, achieving lateral movement using tools for managing cloud environments and maintaining persistence using “alternate” mechanisms authentication, the company said in the report.
