INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Cyberattack Targets Companies in China, Iran
| 2026-03-19 07:01 MEDIUM HIGHExecutive Summary AI-generated
The global landscape of cyberattacks has become increasingly complex, with private sector companies being exploited by governments and military organizations to support state-level operations. This is evident in the case of China's Integrity Technology Group, a mid-size publicly traded corporation that has worked on behalf of the Chinese government and military as a hack-for-hire operation. The group purports to be a cybersecurity training company but has already been sanctioned by US and UK governments for its cyberattacks against European countries.
China is not alone in this practice, with other nations such as Russia, Israel, and the US also using private sector companies to conduct cyberoperations. This allows them to maintain plausible deniability while still carrying out devastating attacks on their targets. The use of quasi-private institutions, such as those found in Southeast Asia's military organizations, provides a degree of flexibility that would be difficult for governments to replicate.
The consequences of this trend are far-reaching and have significant implications for global security. As companies become increasingly vulnerable to cyberattacks, the risk of data breaches and intellectual property theft increases exponentially. The use of private sector companies as tools of statecraft also raises concerns about the erosion of trust in institutions and the potential for future conflicts.
The European Union's imposition of sanctions on three Chinese companies has been seen as a response to this trend, but it is unlikely to be the last step. As governments become more aware of the risks associated with using private sector companies as tools of statecraft, they will likely take further action to protect their citizens and interests. The question remains: what are the consequences for those who choose to exploit these vulnerabilities?
Technical Mitigations AI-generated
* Implement robust security protocols, such as multi-factor authentication and encryption, to protect against phishing and credential theft attacks.
* Regularly update software and systems to patch vulnerabilities before they can be exploited by attackers.
* Use secure communication channels, such as end-to-end encrypted messaging apps or email services, for sensitive communications.
* Conduct regular network monitoring and incident response planning to quickly respond to potential security breaches.
* Consider using a virtual private network (VPN) when accessing public Wi-Fi networks to encrypt internet traffic.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign Expands AcrossCampaign Expands Across
NotPetyaNotPetyaINC RansomwareINC RansomwareStuxnetStuxnet
Target & Sectors
APAC
APAC
EUROPE
EUROPE
ASEAN
ASEAN
NORDICS
NORDICS
SOUTH_ASIA
SOUTH_ASIA
healthcarehealthcare
telecommunicationstelecommunications
governmentgovernment
logisticslogistics
technologytechnology
maritimemaritime
Incident Timeline
June 2017
The European Council created a "Cyber Diplomacy Toolbox" in response to the EU sanctions on companies in China and Iran.
Click on any entity below to view its context and source!
organisation
The European Council
In response, the European Council in June 2017 created a "Cyber Diplomacy Toolbox," a general outline of what levers it could pull to rein in these attacks.
May 2019
The Shanghai Stock Exchange was sanctioned by the EU in May 2019.
Click on any entity below to view its context and source!
organisation
the Shanghai Stock Exchange
Integrity Technology Group, for instance, is publicly traded on the Shanghai Stock Exchange, with tens of millions of dollars in annual revenue and around 500 employees.
victims
500 employees
Integrity Technology Group, for instance, is publicly traded on the Shanghai Stock Exchange, with tens of millions of dollars in annual revenue and around 500 employees.
organisation
Morin
For them, Morin says, "legitimate businesses, partners, and customers will cut ties to avoid regulatory reprimand.
late 2025
Threat actors used a previously unknown malware to target companies in Thailand and Indonesia.
Click on any entity below to view its context and source!
target_region
Thailand
The group, which the researchers also referred to as RagaSerpent, started targeting Thailand in late 2025 and Indonesia earlier this year,
the report stated
.
target_region
Indonesia
The group, which the researchers also referred to as RagaSerpent, started targeting Thailand in late 2025 and Indonesia earlier this year,
the report stated
.
organisation
RagaSerpent
The group, which the researchers also referred to as RagaSerpent, started targeting Thailand in late 2025 and Indonesia earlier this year,
the report stated
.
between 2022 and 2023 alone
Threat actors used compromised devices in the European Union to target companies in China and Iran.
Click on any entity below to view its context and source!
target_region
EUROPE
The European Council linked it to 65,000 compromised devices across six European Union (EU) countries between 2022 and 2023 alone.
organisation
European Union
The European Council linked it to 65,000 compromised devices across six European Union (EU) countries between 2022 and 2023 alone.
organisation
EU
The European Council linked it to 65,000 compromised devices across six European Union (EU) countries between 2022 and 2023 alone.
infrastructure
65,000 compromised devices
The European Council linked it to 65,000 compromised devices across six European Union (EU) countries between 2022 and 2023 alone.
the mid-2010s
Threat actors used malware to compromise Chinese and Iranian companies in Europe.
Click on any entity below to view its context and source!
target_region
EUROPE
Back in the mid-2010s, Europe suffered repeated, world-historic cyberattacks:
2026-03-19
SideWinder APT group used spear-phishing and exploited long-patched MS Office vulnerabilities to compromise targets.
Click on any entity below to view its context and source!
organisation
EU Sanctions Companies
EU Sanctions Companies in China, Iran for Cyberattacks.
organisation
The European Council
The European Council has imposed sanctions on three ostensibly private companies — two in China, one in Iran — for aiding and carrying out cyberattacks in European countries.
organisation
Integrity Technology Group
One of the two companies based in China, called Integrity Technology Group, is a mid-size publicly traded corporation.
organisation
the People's Liberation Army
In China, Meyers says, the People's Liberation Army (PLA) has maintained close connections in the private sector and academia since the 1990s.
organisation
PLA
In China, Meyers says, the People's Liberation Army (PLA) has maintained close connections in the private sector and academia since the 1990s.
organisation
China-Nexus Hackers Skulk
Related:
China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years
One obvious benefit of running cyberattacks through quasi-private institutions, for a nation-state, is that it affords some degree of plausible deniability.
Related:
China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years
"The espionage actors operating in this environment are not here for a quick payoff," he says.
organisation
Southeast Asian Military Orgs
Related:
China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years
One obvious benefit of running cyberattacks through quasi-private institutions, for a nation-state, is that it affords some degree of plausible deniability.
Related:
China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years
"The espionage actors operating in this environment are not here for a quick payoff," he says.
organisation
Anxun Information Technology
The most notorious of the bunch, though, is Anxun Information Technology, better known to the West as "
iSoon
."
organisation
SMS
Related:
SideWinder Espionage Campaign Expands Across Southeast Asia
The Iranian company, transliterated as "Emennet Pasargad," is being punished for hacking a Swedish SMS service, performing a data leak attack against a French organization, and for spreading disinformation via advertising billboards during the 2024 Paris Olympic Games.
organisation
SideWinder
Recent cyber-espionage activity attributed to the SideWinder threat group suggests that the India-linked operation has expanded across Southeast Asia, including Indonesia and Thailand, while continuing to rely on phishing, credential theft, and infrastructure churn to avoid detection.
organisation
Post-Compromise Persistence
Despite
Easy Entry Points, Post-Compromise Persistence
Despite its decade-plus experience as an espionage actor, the SideWinder group's initial intrusion techniques are not especially complex, say researchers.
organisation
APT
"
Active since 2012, the SideWinder APT group
has typically focused on South Asian governments
, such as those of Bangladesh, Nepal, Pakistan, and Sri Lanka, as well as military organizations and diplomatic entities across South and Southeast Asia, the group has more recently broadened its focus to
include maritime infrastructure
, logistics companies, and a nuclear sector, says Vasily Berdnikov, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT).
organisation
Kaspersky's Global Research and Analysis Team
"
Active since 2012, the SideWinder APT group
has typically focused on South Asian governments
, such as those of Bangladesh, Nepal, Pakistan, and Sri Lanka, as well as military organizations and diplomatic entities across South and Southeast Asia, the group has more recently broadened its focus to
include maritime infrastructure
, logistics companies, and a nuclear sector, says Vasily Berdnikov, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT).
organisation
iSoon
In addition to the company itself, iSoon's two founders have also been sanctioned as individuals.
organisation
CrowdStrike
"This is common," says Adam Meyers, head of counter adversary operations at CrowdStrike.
organisation
MS Office
"These primarily involve spear-phishing and exploiting long-patched MS Office vulnerabilities. ...
organisation
Kaspersky
While Kaspersky's policy is not to attribute any threat group to a particular nation-state, SideWinder has moved beyond South Asia to compromise targets in other regions, he says.
organisation
Microsoft Office
The group frequently uses known Microsoft Office flaws and DLL hijacking to establish a foothold, says Berdnikov.
organisation
DLL
The group frequently uses known Microsoft Office flaws and DLL hijacking to establish a foothold, says Berdnikov.
infrastructure
Windows
SideWinder has built a repeatable workflow around a staged payload delivery, persistence built on top of Windows services, and rapid changes to command-and-control (C2) infrastructure.
Tactical Metrics
Metrics
victims
500
Employees
Click for context!
Integrity Technology Group, for instance, is publicly traded on the Shanghai Stock Exchange, with tens of millions of dollars in annual revenue and around 500 employees.
Metrics
infrastructure
65,000
Compromised Devices
The European Council linked it to 65,000 compromised devices across six European Union (EU) countries between 2022 and 2023 alone.
Metrics
infrastructure
Microsoft Office
Affected Product
The group frequently uses known Microsoft Office flaws and DLL hijacking to establish a foothold, says Berdnikov.
Metrics
infrastructure
Windows
Affected Product
SideWinder has built a repeatable workflow around a staged payload delivery, persistence built on top of Windows services, and rapid changes to command-and-control (C2) infrastructure.
Intelligence Sources
Dark Reading
2026-03-19
Dark Reading
2026-03-18
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:06
Comprehensive Tactical Telemetry
Highly Correlated Entities
25x
organisation
Identified Entity
EU Sanctions Companies
entity
10x
target region
Target Country
China
country
9x
source region
Origin Country
Iran, Islamic Republic of
country
9x
timeline
Temporal Reference
the 1990s
date
6x
industry
Targeted Sector
Technology
sector
6x
attribution
Attributing Entity
ISoon
authority
4x
tactic
Cyber Operation Type
Ransomware
tactic
4x
source region
Origin Region
EUROPE
region
3x
malware
Malware Payload
INC Ransomware
tool
3x
target region
Target Region
APAC
region
2x
infrastructure
Affected Product
Microsoft Office
software
Contextual Telemetry
Context Block
4 METRICS
victims
Employees
500
employees
campaign
Campaign
Campaign Expands Across
operation
infrastructure
Compromised Devices
65,000
compromised devices
general metric
Individuals
19
individuals
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.