Overview
When most people think about state-sponsored cyber operations, they imagine government hackers working directly for intelligence agencies. In reality, modern cyber espionage has become far more complex.
Recent research highlights how China’s cyber operations increasingly rely on a network of private companies, contractors, malware developers, botnet operators, and data brokers that collectively support state objectives.
Rather than a single organisation conducting an entire campaign, multiple entities contribute specialised capabilities, creating a layered ecosystem that supplies tools, infrastructure, stolen data, and operational support to government customers.
Campaigns linked to groups such as Salt Typhoon, Flax Typhoon, Volt Typhoon, APT41, and APT27 demonstrate how cyber operations have evolved into a commercial marketplace where access, malware, and intelligence can be developed, sold, and reused across multiple operations.
For defenders, this shift presents a new challenge. Organisations are no longer facing isolated threat actors but interconnected ecosystems capable of operating at scale.
Understanding “Composite Responsibility”
Researchers at BindingHook introduced the concept of Composite Responsibility to better explain how modern cyber operations function.
Traditionally, security teams attributed an intrusion to a single Advanced Persistent Threat (APT) group. However, this approach does not accurately reflect today’s threat landscape.
A modern operation may involve:
- Malware developers
- Infrastructure providers
- Botnet operators
- Data brokers
- Intrusion specialists
- Government intelligence consumers
Each participant contributes a specific capability while sharing varying levels of responsibility for the overall campaign.
This model helps explain why attribution has become increasingly difficult and why multiple organisations may be involved in a single operation.
The Contractor Model Behind Modern Cyber Operations
Leaked internal documents from Chinese contractor I-Soon provided one of the clearest examples of how this ecosystem operates.
According to publicly reported findings, I-Soon employees conducted intrusion activities, managed operations, and supplied intelligence to government customers.
The leaked information suggested that campaigns targeted multiple governments and organisations while operating through a contractor-based structure rather than a purely government-controlled model.
This highlights a growing trend where private-sector entities provide offensive cyber capabilities as a service.
Malware as a Commercial Product
One of the more concerning developments is the commercialisation of offensive cyber tools.
The ShadowPad malware framework is a notable example.
Instead of being developed for a single campaign, ShadowPad was reportedly sold or shared across multiple threat groups and organisations.
This model creates several challenges:
Reusability
The same malware can appear in multiple campaigns, making attribution more difficult.
Scalability
Threat actors can rapidly expand operations without building tools from scratch.
Reduced Development Costs
Groups can focus on intrusion activities while purchasing ready-made capabilities.
Much like legitimate software vendors, cyber contractors can specialise in developing tools while others focus on operational deployment.
Botnets as Strategic Infrastructure
The disruption of the Raptor Train botnet provided another example of how private organisations contribute to state-linked cyber operations.
Investigators attributed the botnet to a Chengdu-based company known as Integrity Technology Group.
According to public reporting, the organisation was linked to the development and operation of infrastructure used to support wider cyber activities.
Botnets provide several advantages:
- Distributed reconnaissance
- Proxy infrastructure
- Traffic obfuscation
- Persistence
- Large-scale scanning
Rather than directly exposing government infrastructure, botnets provide an additional layer between operators and targets.
The Growing Role of Data Brokers
Perhaps the most interesting aspect of this ecosystem is the emergence of cyber data brokers.
Individuals linked to groups such as APT27 reportedly conducted intrusions and subsequently sold stolen information to multiple customers.
In some cases, the original attackers were not the final consumers of the stolen data.
Instead, information moved through multiple intermediaries before reaching government or commercial buyers.
This mirrors legitimate commercial supply chains where products pass through distributors before reaching customers.
The difference is that the product being sold is stolen information.
Why This Matters to Security Teams
Many organisations continue to focus on individual malware families or threat groups.
However, understanding the broader ecosystem is becoming increasingly important.
Modern attacks often combine:
- Botnet infrastructure
- Commercial malware
- Purchased credentials
- Stolen datasets
- Third-party access brokers
Defenders should assume that threat actors can acquire capabilities rather than develop them internally.
This significantly lowers the barrier to entry while increasing operational sophistication.
Defensive Recommendations
Organisations concerned about state-sponsored or advanced cyber threats should consider the following measures:
Implement Multi-Factor Authentication
Strong MFA remains one of the most effective controls against credential-based attacks.
Adopt Zero Trust Principles
Trust should never be assumed based solely on network location or device ownership.
Monitor Network Traffic
Establish baseline network behaviour and investigate unusual outbound communications.
Segment Critical Systems
Network segmentation limits attacker movement following a successful compromise.
Identify Vulnerable Edge Devices
Routers, firewalls, VPN appliances, and internet-facing systems should receive regular security assessments.
Deploy Host-Based Detection
Endpoint Detection and Response (EDR) and Host Intrusion Detection Systems (HIDS) provide additional visibility into malicious activity.
Leverage Threat Intelligence
Real-time intelligence feeds can help identify malicious infrastructure before attackers establish persistence.
Hunt for Botnet Activity
Consumer-grade networking devices and unmanaged infrastructure often become part of larger botnet ecosystems.
Expert in the Cloud Insight
The most important takeaway from this research is that cyber operations are becoming increasingly industrialised.
The traditional view of a single threat group conducting every stage of an attack is rapidly becoming outdated. Today’s operations resemble business ecosystems where specialised providers contribute malware, infrastructure, access, intelligence, and operational support.
For security leaders, this changes how risk should be evaluated.
The question is no longer whether an organisation is facing a specific threat group. The question is whether it can defend against a marketplace of capabilities that can be assembled on demand.
This trend mirrors legitimate technology industries. Just as organisations purchase cloud services rather than build data centres, threat actors can increasingly purchase malware, infrastructure, stolen data, and access from specialist providers.
The result is a threat landscape that is larger, faster, and more scalable than ever before.
Defending against these ecosystems requires more than technology. It requires visibility, intelligence, strong architecture, and a security strategy designed around resilience rather than prevention alone.
Expert in the Cloud – The Future Is Now.
Leave a Reply