Chinese hackers lead tech sector espionage threats

• Chinese hackers were the top state-backed threat to tech firms.
• eCrime drove 65% of hands-on-keyboard attacks on tech firms.

China-linked hacking groups were the largest state-backed espionage threat to technology companies over the past year, according to a CrowdStrike report published on Tuesday.

The cybersecurity firm said the campaigns were consistent with Chinese government priorities, including technology development, intellectual property, and information with strategic and economic value.

Technology sector sees highest intrusion volume

The report covers activity from April 1, 2025, to March 31, 2026. CrowdStrike said the technology sector remained the most targeted industry by both state-backed groups and financially motivated cybercriminals.

CrowdStrike defines the sector as companies involved in the research, development, distribution, or provision of technology-based goods and services. The category includes hardware, software, networking equipment, IT services, consulting, and semiconductors.

The firm did not name the companies targeted in the activity it tracked.

CrowdStrike said hands-on-keyboard intrusions targeting technology entities accounted for 20% of all interactive intrusions observed in Q1 2026. That was 26% higher than the volume recorded for consulting and professional services, the second most targeted sector.

North America-based technology organisations saw the highest level of targeting during the reporting period. They accounted for 45% of all hands-on-keyboard intrusions targeting the sector.

Activity against technology companies was global but concentrated in several markets, according to CrowdStrike. The highest volumes were observed in Brazil, Canada, Germany, India, Israel, Italy, Taiwan, Thailand, the United Kingdom, and the United States.

Financially motivated cybercriminal activity made up 65% of hands-on-keyboard operations against technology companies. State-sponsored activity accounted for the remaining 35%, a breakdown CrowdStrike said has remained consistent since 2024.

The report said technology companies attract attackers because they hold intellectual property, proprietary data, and sensitive business information. CrowdStrike also said technology providers can serve as entry points for supply chain attacks because of their relationships with downstream customers and partners.

China-linked groups remain the top state-backed threat

Adam Meyers, CrowdStrike’s senior vice president and head of counter adversary operations, said technology companies linked to artificial intelligence were among the high-value targets. He cited major frontier AI labs and smaller developers working on domain-specific models.

On April 23, the White House Office of Science and Technology Policy accused China-based entities of running “deliberate, industrial-scale campaigns” to secretly distill U.S.-developed AI models for their own use.

Meyers said China-linked activity poses a threat to companies developing frontier AI models and smaller firms building domain-specific systems. He added that China intends to achieve global AI dominance by 2030.

The Chinese Embassy in Washington rejected the report’s findings. A spokesperson said China opposes hacking and rejects what it described as “vilification and smears under the pretext of cybersecurity.” The spokesperson also said China supports US-China cooperation on AI development and governance.

North Korean IT worker schemes remain active

CrowdStrike also identified North Korean hacking operations as a major threat to technology companies. The report highlighted schemes in which North Korean operatives use false identities to obtain remote IT roles inside companies.

According to CrowdStrike, salaries from those roles are largely sent back to the North Korean government. The positions also give operatives internal access that can support intelligence collection.

CrowdStrike said FAMOUS CHOLLIMA, a North Korea-linked group, accounted for 47% of all state-sponsored hands-on-keyboard operations targeting the technology sector during the reporting period. The group targeted technology companies and software development entities through fraudulent employment activity across North America, Europe, and Asia.

The report said Russia- and Iran-linked groups also continued to target technology sectors in the US and other countries. Their activity included intelligence collection and, in some cases, destructive malware attacks.

Cybercriminal access markets expand

CrowdStrike also reported increased activity by financially motivated cybercriminal groups targeting technology companies. Initial access broker advertisements for technology targets rose nearly 30% during the reporting period.

Initial access brokers sell access to compromised networks to other threat actors. CrowdStrike said listed prices for technology-sector access ranged from $188 to $50,000. The average price was $3,947.06, while the median price was $1,200.

The report also tracked ransomware and extortion activity against technology companies. CrowdStrike said Big Game Hunting groups named 572 technology entities on data leak sites between April 2025 and March 2026, compared with 582 in the previous reporting period.

Want to learn more about Cloud Computing from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology eventsclick here for more information.