BindingHook Report Exposes Chinese Cyber Contractor Ecosystem Enabling State Espionage
A new report from BindingHook reveals that Chinese state-sponsored cyber operations rely on a commercial ecosystem of private contractors, botnet operators, and data brokers, a model termed 'composite responsibility.'
China's cyber operations have evolved far beyond what most people imagine when they picture a state-sponsored hacker. Instead of lone government agents breaking into servers, the country now runs an intricate web of private companies, contractors, and data brokers that collectively carry out espionage on behalf of its intelligence services. The scale and sophistication of this ecosystem have surprised even seasoned security researchers.
At the center of this network are private technology firms that develop and sell hacking tools, build botnets, steal data, and resell access to government clients. Operations attributed to groups like Salt Typhoon, Flax Typhoon, and Volt Typhoon reveal how Chinese state-sponsored campaigns now depend on a thriving commercial layer to function. These private players supply everything from malware and network infrastructure to raw stolen data, turning cyber espionage into a marketplace.
Analysts at BindingHook identified a new framework for understanding these operations, calling it 'composite responsibility.' Rather than assigning an entire campaign to one APT label, this model recognizes that a single operation may involve multiple entities, each playing a distinct role and bearing a different level of responsibility. BindingHook said in a report shared with Cyber Security News details how the US and its partners attributed Salt Typhoon, one of the most damaging cyber espionage campaigns against Western telecommunications infrastructure, to at least three China-based private firms.
The leaked internal documents from I-Soon, a Chinese private contractor tied to the Ministry of State Security and Ministry of Public Security, offered a rare window into how this model works. I-Soon employees conducted intrusions as contractors, fed results back to government clients, and managed campaigns targeting at least 14 governments. The leak confirmed that Chinese cyber operations are not monolithic but layered, commercially driven ecosystems.
The privately developed ShadowPad backdoor was sold to multiple suspected PLA units, including RedFoxtrot and Tonto Team, and shared with entities like Chengdu404, whose staff were charged for activity attributed to APT41. This shows that responsibility can extend to the company that commercialized malicious software, not just the hackers who deployed it. The Raptor Train botnet, disrupted by the United States, offers a clear illustration of this contractor model. It was attributed to Chengdu-based Integrity Technology Group, found responsible for developing the botnet and therefore held partly accountable for intrusion activities attributed to Flax Typhoon.
Data brokering adds yet another layer to these operations. Individuals linked to APT27, including Yin Kecheng and Zhou Shuai, conducted hacking campaigns and then sold stolen data to multiple customers, some of which were Chinese government entities. In some cases, data stolen by Yin was resold through i-Soon, introducing additional resale layers between the original intrusion and the end consumer.
Security teams facing these layered threats should begin by mapping all network-connected devices and developing a clear understanding of normal traffic patterns. Using multi-factor authentication, restricting access through allowlists, and adopting zero-trust architectures are all recommended steps for organizations at elevated risk. Real-time threat intelligence feeds can help defenders identify botnet activity before it enables a larger intrusion.